AF_PACKET is one of the packet capture modes in Trisul. Here is a checklist to ensure this feature works.
- ensure the Kernel version is 4.7.x or later. The stock Ubuntu 16.04.01 and Centos 7.1 have older versions. In older kernel versions, AF_PACKET FANOUT hashes the two directions separately. This will impact some features in Trisul like TCP reassembly which depend on symmetric hashing. Ubuntu 16.04.02 has the latest kernel that works out of the box with AF_PACKET
- Disable the following three offloads
ethtool -K ens0 tso off
ethtool -K ens0 gro off
ethtool -K ens0 gso off
- use the RAT tool to check if there are truncated packets and confirm if things are smooth. To do this run the following commands on the probe node
sudo -i
source /usr/local/share/trisul-probe/trisbashrc
rat.af
You will get a real time system monitoring ncurses based screen like the one shown below
$image-167884c6-61ec-4592-900c-3a195c892590
Here are some AF_PACKET performance metrics you can see from the image
- truncated -- when the packet in the TPACKET_v3 ring is greater than the SNAPLen. If you see non-zero numbers here it means you need to turn off the NIC offload parameters as explained above.
- empty_close_blocks -- number of times AF_PACKET timeout a block without any packets
- pkt/block Gauge -- latest sample of number of packets in a block
- pkt/block Max -- max seen packets/block
Hope this helps.