From 765b064257fb770a8ed03da1ed5f209f7bca50d9 Mon Sep 17 00:00:00 2001 From: Tudor Golubenco Date: Wed, 5 Jul 2017 14:14:44 +0200 Subject: [PATCH] Delete pfring code (#4608) The PFring sniffer in Packetbeat is officially unsupported for a longer time, because it depends on a kernel module and because we don't have a good way of testing it, but we left in the code and docs for the people that would like to compile it themselves. However, it appears that it's broken for a long time (#2800), so this PR removes it from code and docs. Closes #4585, #2800. --- CHANGELOG.asciidoc | 2 + packetbeat/Makefile | 4 -- packetbeat/_meta/beat.reference.yml | 3 -- packetbeat/docs/capturing.asciidoc | 19 ++----- .../configuration/packetbeat-options.asciidoc | 6 --- packetbeat/packetbeat.reference.yml | 3 -- packetbeat/sniffer/pfring.go | 50 ------------------- packetbeat/sniffer/pfring_stub.go | 32 ------------ packetbeat/sniffer/sniffer.go | 24 --------- 9 files changed, 5 insertions(+), 138 deletions(-) delete mode 100644 packetbeat/sniffer/pfring.go delete mode 100644 packetbeat/sniffer/pfring_stub.go diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index c619b5f4dd8..9da40299594 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -33,6 +33,8 @@ https://github.com/elastic/beats/compare/v6.0.0-alpha2...master[Check the HEAD d *Packetbeat* +- Remove the already unsupported `pf_ring` sniffer option. {pull}4608[4608] + *Winlogbeat* ==== Bugfixes diff --git a/packetbeat/Makefile b/packetbeat/Makefile index ae1ddf0544e..b79f8c91d8a 100644 --- a/packetbeat/Makefile +++ b/packetbeat/Makefile @@ -6,10 +6,6 @@ ES_BEATS?=.. include ${ES_BEATS}/libbeat/scripts/Makefile -.PHONY: with_pfring -with_pfring: - go build --tags havepfring - # This is called by the beats packer before building starts .PHONY: before-build before-build: diff --git a/packetbeat/_meta/beat.reference.yml b/packetbeat/_meta/beat.reference.yml index 093ea616018..1e82b58aad4 100644 --- a/packetbeat/_meta/beat.reference.yml +++ b/packetbeat/_meta/beat.reference.yml @@ -18,9 +18,6 @@ packetbeat.interfaces.device: any # not the fastest option. # * af_packet, which uses memory-mapped sniffing. This option is faster than # libpcap and doesn't require a kernel module, but it's Linux-specific. -# * pf_ring, which makes use of an ntop.org project. This setting provides the -# best sniffing speed, but it requires a kernel module, and it's Linux-specific. -# The default sniffer type is pcap. #packetbeat.interfaces.type: pcap # The maximum size of the packets to capture. The default is 65535, which is diff --git a/packetbeat/docs/capturing.asciidoc b/packetbeat/docs/capturing.asciidoc index 423b431f51a..af97b2bc543 100644 --- a/packetbeat/docs/capturing.asciidoc +++ b/packetbeat/docs/capturing.asciidoc @@ -11,9 +11,9 @@ The first option has the big advantage that there is no overhead of any kind on your application servers. But it requires dedicated networking gear, which is generally not available on cloud setups. -In both cases, the sniffing performance (reading packets passively from the network) +In both cases, the sniffing performance (reading packets passively from the network) is very important. In the case of a dedicated server, better -sniffing performance means that less hardware is required. When Packetbeat is installed +sniffing performance means that less hardware is required. When Packetbeat is installed on an existing application server, better sniffing performance means less overhead. Currently Packetbeat has several options for traffic capturing: @@ -22,15 +22,6 @@ Currently Packetbeat has several options for traffic capturing: it's not the fastest option. * `af_packet`, which uses memory mapped sniffing. This option is faster than libpcap and doesn't require a kernel module, but it's Linux-specific. - * `pf_ring`, which makes use of an ntop.org - http://www.ntop.org/products/pf_ring/[project]. This setting provides the best - sniffing speed, but it requires recompilation and a kernel module, and it's - Linux-specific. - -The `pf_ring` option provides sniffing speeds in the order of Gigabits per -second using only standard hardware, but it requires you to recompile Packetbeat -against the ntop libraries and is therefore currently not officially supported -by Elastic. The `af_packet` option, also known as "memory-mapped sniffing," makes use of a Linux-specific @@ -45,10 +36,6 @@ reads from it. The poll system call is used for getting a notification for the first packet available, but the remaining available packets can be simply read via memory access. -This option is not quite as fast as `pf_ring` (it works to up to 200k packets -per second before dropping packets), but it requires no recompilation and no -kernel modules, and it's still a significant improvement over libpcap. - The `af_packet` sniffer can be further tuned to use more memory in exchange for better performance. The larger the size of the circular buffer, the fewer system calls are needed, which means that fewer CPU cycles are consumed. The default size @@ -61,5 +48,5 @@ packetbeat.interfaces.type: af_packet packetbeat.interfaces.buffer_size_mb: 100 ------------------------------------------------------------------------------ -Please see the <> section for more +Please see the <> section for more configuration options. diff --git a/packetbeat/docs/reference/configuration/packetbeat-options.asciidoc b/packetbeat/docs/reference/configuration/packetbeat-options.asciidoc index d504b289173..377292db3b7 100644 --- a/packetbeat/docs/reference/configuration/packetbeat-options.asciidoc +++ b/packetbeat/docs/reference/configuration/packetbeat-options.asciidoc @@ -90,12 +90,6 @@ Packetbeat supports three sniffer types: it's not the fastest option. * `af_packet`, which uses memory-mapped sniffing. This option is faster than libpcap and doesn't require a kernel module, but it's Linux-specific. - * `pf_ring`, which makes use of an ntop.org - http://www.ntop.org/products/pf_ring/[project]. This setting provides the best - sniffing speed, but it requires a kernel module, and it's Linux-specific. - -NOTE: The `pf_ring` option requires re-compilation of Packetbeat and is not - officially supported by Elastic at this moment. The default sniffer type is `pcap`. diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 3cdc972c0b1..c42ced2f909 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -18,9 +18,6 @@ packetbeat.interfaces.device: any # not the fastest option. # * af_packet, which uses memory-mapped sniffing. This option is faster than # libpcap and doesn't require a kernel module, but it's Linux-specific. -# * pf_ring, which makes use of an ntop.org project. This setting provides the -# best sniffing speed, but it requires a kernel module, and it's Linux-specific. -# The default sniffer type is pcap. #packetbeat.interfaces.type: pcap # The maximum size of the packets to capture. The default is 65535, which is diff --git a/packetbeat/sniffer/pfring.go b/packetbeat/sniffer/pfring.go deleted file mode 100644 index 93aecb4214d..00000000000 --- a/packetbeat/sniffer/pfring.go +++ /dev/null @@ -1,50 +0,0 @@ -// +build linux,havepfring - -package sniffer - -import ( - "fmt" - - "github.com/tsg/gopacket" - "github.com/tsg/gopacket/pfring" -) - -type pfringHandle struct { - Ring *pfring.Ring -} - -func newPfringHandle(device string, snaplen int, promisc bool) (*pfringHandle, error) { - - var h pfringHandle - var err error - - if device == "any" { - return nil, fmt.Errorf("Pfring sniffing doesn't support 'any' as interface") - } - - var flags pfring.Flag - - if promisc { - flags = pfring.FlagPromisc - } - - h.Ring, err = pfring.NewRing(device, uint32(snaplen), flags) - - return &h, err -} - -func (h *pfringHandle) ReadPacketData() (data []byte, ci gopacket.CaptureInfo, err error) { - return h.Ring.ReadPacketData() -} - -func (h *pfringHandle) SetBPFFilter(expr string) (_ error) { - return h.Ring.SetBPFFilter(expr) -} - -func (h *pfringHandle) Enable() (_ error) { - return h.Ring.Enable() -} - -func (h *pfringHandle) Close() { - h.Ring.Close() -} diff --git a/packetbeat/sniffer/pfring_stub.go b/packetbeat/sniffer/pfring_stub.go deleted file mode 100644 index f98e74b437b..00000000000 --- a/packetbeat/sniffer/pfring_stub.go +++ /dev/null @@ -1,32 +0,0 @@ -// +build !linux !havepfring - -package sniffer - -import ( - "fmt" - - "github.com/tsg/gopacket" -) - -type pfringHandle struct { -} - -func newPfringHandle(device string, snaplen int, promisc bool) (*pfringHandle, error) { - - return nil, fmt.Errorf("Pfring sniffing is not compiled in") -} - -func (h *pfringHandle) ReadPacketData() (data []byte, ci gopacket.CaptureInfo, err error) { - return data, ci, fmt.Errorf("Pfring sniffing is not compiled in") -} - -func (h *pfringHandle) SetBPFFilter(expr string) (_ error) { - return fmt.Errorf("Pfring sniffing is not compiled in") -} - -func (h *pfringHandle) Enable() (_ error) { - return fmt.Errorf("Pfring sniffing is not compiled in") -} - -func (h *pfringHandle) Close() { -} diff --git a/packetbeat/sniffer/sniffer.go b/packetbeat/sniffer/sniffer.go index 7bbf6b58362..8dfd5698a13 100644 --- a/packetbeat/sniffer/sniffer.go +++ b/packetbeat/sniffer/sniffer.go @@ -21,7 +21,6 @@ import ( type SnifferSetup struct { pcapHandle *pcap.Handle afpacketHandle *afpacketHandle - pfringHandle *pfringHandle config *config.InterfacesConfig isAlive bool dumper *pcap.Dumper @@ -208,27 +207,6 @@ func (sniffer *SnifferSetup) setFromConfig(config *config.InterfacesConfig) erro } sniffer.DataSource = gopacket.PacketDataSource(sniffer.afpacketHandle) - case "pfring", "pf_ring": - sniffer.pfringHandle, err = newPfringHandle( - sniffer.config.Device, - sniffer.config.Snaplen, - true) - - if err != nil { - return err - } - - err = sniffer.pfringHandle.SetBPFFilter(sniffer.filter) - if err != nil { - return fmt.Errorf("SetBPFFilter failed: %s", err) - } - - err = sniffer.pfringHandle.Enable() - if err != nil { - return fmt.Errorf("Enable failed: %s", err) - } - - sniffer.DataSource = gopacket.PacketDataSource(sniffer.pfringHandle) default: return fmt.Errorf("Unknown sniffer type: %s", sniffer.config.Type) @@ -396,8 +374,6 @@ func (sniffer *SnifferSetup) Close() error { sniffer.pcapHandle.Close() case "af_packet": sniffer.afpacketHandle.Close() - case "pfring", "pf_ring": - sniffer.pfringHandle.Close() } return nil }