diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index c10e4ea80dc..1e76dd4721f 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -32,6 +32,8 @@ https://github.com/elastic/beats/compare/v6.0.0-alpha2...master[Check the HEAD d *Packetbeat* +- Remove the already unsupported `pf_ring` sniffer option. {pull}4608[4608] + *Winlogbeat* ==== Bugfixes diff --git a/packetbeat/Makefile b/packetbeat/Makefile index ae1ddf0544e..b79f8c91d8a 100644 --- a/packetbeat/Makefile +++ b/packetbeat/Makefile @@ -6,10 +6,6 @@ ES_BEATS?=.. include ${ES_BEATS}/libbeat/scripts/Makefile -.PHONY: with_pfring -with_pfring: - go build --tags havepfring - # This is called by the beats packer before building starts .PHONY: before-build before-build: diff --git a/packetbeat/_meta/beat.reference.yml b/packetbeat/_meta/beat.reference.yml index 093ea616018..1e82b58aad4 100644 --- a/packetbeat/_meta/beat.reference.yml +++ b/packetbeat/_meta/beat.reference.yml @@ -18,9 +18,6 @@ packetbeat.interfaces.device: any # not the fastest option. # * af_packet, which uses memory-mapped sniffing. This option is faster than # libpcap and doesn't require a kernel module, but it's Linux-specific. -# * pf_ring, which makes use of an ntop.org project. This setting provides the -# best sniffing speed, but it requires a kernel module, and it's Linux-specific. -# The default sniffer type is pcap. #packetbeat.interfaces.type: pcap # The maximum size of the packets to capture. The default is 65535, which is diff --git a/packetbeat/docs/capturing.asciidoc b/packetbeat/docs/capturing.asciidoc index 423b431f51a..af97b2bc543 100644 --- a/packetbeat/docs/capturing.asciidoc +++ b/packetbeat/docs/capturing.asciidoc @@ -11,9 +11,9 @@ The first option has the big advantage that there is no overhead of any kind on your application servers. But it requires dedicated networking gear, which is generally not available on cloud setups. -In both cases, the sniffing performance (reading packets passively from the network) +In both cases, the sniffing performance (reading packets passively from the network) is very important. In the case of a dedicated server, better -sniffing performance means that less hardware is required. When Packetbeat is installed +sniffing performance means that less hardware is required. When Packetbeat is installed on an existing application server, better sniffing performance means less overhead. Currently Packetbeat has several options for traffic capturing: @@ -22,15 +22,6 @@ Currently Packetbeat has several options for traffic capturing: it's not the fastest option. * `af_packet`, which uses memory mapped sniffing. This option is faster than libpcap and doesn't require a kernel module, but it's Linux-specific. - * `pf_ring`, which makes use of an ntop.org - http://www.ntop.org/products/pf_ring/[project]. This setting provides the best - sniffing speed, but it requires recompilation and a kernel module, and it's - Linux-specific. - -The `pf_ring` option provides sniffing speeds in the order of Gigabits per -second using only standard hardware, but it requires you to recompile Packetbeat -against the ntop libraries and is therefore currently not officially supported -by Elastic. The `af_packet` option, also known as "memory-mapped sniffing," makes use of a Linux-specific @@ -45,10 +36,6 @@ reads from it. The poll system call is used for getting a notification for the first packet available, but the remaining available packets can be simply read via memory access. -This option is not quite as fast as `pf_ring` (it works to up to 200k packets -per second before dropping packets), but it requires no recompilation and no -kernel modules, and it's still a significant improvement over libpcap. - The `af_packet` sniffer can be further tuned to use more memory in exchange for better performance. The larger the size of the circular buffer, the fewer system calls are needed, which means that fewer CPU cycles are consumed. The default size @@ -61,5 +48,5 @@ packetbeat.interfaces.type: af_packet packetbeat.interfaces.buffer_size_mb: 100 ------------------------------------------------------------------------------ -Please see the <> section for more +Please see the <> section for more configuration options. diff --git a/packetbeat/docs/reference/configuration/packetbeat-options.asciidoc b/packetbeat/docs/reference/configuration/packetbeat-options.asciidoc index d504b289173..377292db3b7 100644 --- a/packetbeat/docs/reference/configuration/packetbeat-options.asciidoc +++ b/packetbeat/docs/reference/configuration/packetbeat-options.asciidoc @@ -90,12 +90,6 @@ Packetbeat supports three sniffer types: it's not the fastest option. * `af_packet`, which uses memory-mapped sniffing. This option is faster than libpcap and doesn't require a kernel module, but it's Linux-specific. - * `pf_ring`, which makes use of an ntop.org - http://www.ntop.org/products/pf_ring/[project]. This setting provides the best - sniffing speed, but it requires a kernel module, and it's Linux-specific. - -NOTE: The `pf_ring` option requires re-compilation of Packetbeat and is not - officially supported by Elastic at this moment. The default sniffer type is `pcap`. diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 5a554fd0cf6..e00ca3be3c8 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -18,9 +18,6 @@ packetbeat.interfaces.device: any # not the fastest option. # * af_packet, which uses memory-mapped sniffing. This option is faster than # libpcap and doesn't require a kernel module, but it's Linux-specific. -# * pf_ring, which makes use of an ntop.org project. This setting provides the -# best sniffing speed, but it requires a kernel module, and it's Linux-specific. -# The default sniffer type is pcap. #packetbeat.interfaces.type: pcap # The maximum size of the packets to capture. The default is 65535, which is diff --git a/packetbeat/sniffer/pfring.go b/packetbeat/sniffer/pfring.go deleted file mode 100644 index 93aecb4214d..00000000000 --- a/packetbeat/sniffer/pfring.go +++ /dev/null @@ -1,50 +0,0 @@ -// +build linux,havepfring - -package sniffer - -import ( - "fmt" - - "github.com/tsg/gopacket" - "github.com/tsg/gopacket/pfring" -) - -type pfringHandle struct { - Ring *pfring.Ring -} - -func newPfringHandle(device string, snaplen int, promisc bool) (*pfringHandle, error) { - - var h pfringHandle - var err error - - if device == "any" { - return nil, fmt.Errorf("Pfring sniffing doesn't support 'any' as interface") - } - - var flags pfring.Flag - - if promisc { - flags = pfring.FlagPromisc - } - - h.Ring, err = pfring.NewRing(device, uint32(snaplen), flags) - - return &h, err -} - -func (h *pfringHandle) ReadPacketData() (data []byte, ci gopacket.CaptureInfo, err error) { - return h.Ring.ReadPacketData() -} - -func (h *pfringHandle) SetBPFFilter(expr string) (_ error) { - return h.Ring.SetBPFFilter(expr) -} - -func (h *pfringHandle) Enable() (_ error) { - return h.Ring.Enable() -} - -func (h *pfringHandle) Close() { - h.Ring.Close() -} diff --git a/packetbeat/sniffer/pfring_stub.go b/packetbeat/sniffer/pfring_stub.go deleted file mode 100644 index f98e74b437b..00000000000 --- a/packetbeat/sniffer/pfring_stub.go +++ /dev/null @@ -1,32 +0,0 @@ -// +build !linux !havepfring - -package sniffer - -import ( - "fmt" - - "github.com/tsg/gopacket" -) - -type pfringHandle struct { -} - -func newPfringHandle(device string, snaplen int, promisc bool) (*pfringHandle, error) { - - return nil, fmt.Errorf("Pfring sniffing is not compiled in") -} - -func (h *pfringHandle) ReadPacketData() (data []byte, ci gopacket.CaptureInfo, err error) { - return data, ci, fmt.Errorf("Pfring sniffing is not compiled in") -} - -func (h *pfringHandle) SetBPFFilter(expr string) (_ error) { - return fmt.Errorf("Pfring sniffing is not compiled in") -} - -func (h *pfringHandle) Enable() (_ error) { - return fmt.Errorf("Pfring sniffing is not compiled in") -} - -func (h *pfringHandle) Close() { -} diff --git a/packetbeat/sniffer/sniffer.go b/packetbeat/sniffer/sniffer.go index 7bbf6b58362..8dfd5698a13 100644 --- a/packetbeat/sniffer/sniffer.go +++ b/packetbeat/sniffer/sniffer.go @@ -21,7 +21,6 @@ import ( type SnifferSetup struct { pcapHandle *pcap.Handle afpacketHandle *afpacketHandle - pfringHandle *pfringHandle config *config.InterfacesConfig isAlive bool dumper *pcap.Dumper @@ -208,27 +207,6 @@ func (sniffer *SnifferSetup) setFromConfig(config *config.InterfacesConfig) erro } sniffer.DataSource = gopacket.PacketDataSource(sniffer.afpacketHandle) - case "pfring", "pf_ring": - sniffer.pfringHandle, err = newPfringHandle( - sniffer.config.Device, - sniffer.config.Snaplen, - true) - - if err != nil { - return err - } - - err = sniffer.pfringHandle.SetBPFFilter(sniffer.filter) - if err != nil { - return fmt.Errorf("SetBPFFilter failed: %s", err) - } - - err = sniffer.pfringHandle.Enable() - if err != nil { - return fmt.Errorf("Enable failed: %s", err) - } - - sniffer.DataSource = gopacket.PacketDataSource(sniffer.pfringHandle) default: return fmt.Errorf("Unknown sniffer type: %s", sniffer.config.Type) @@ -396,8 +374,6 @@ func (sniffer *SnifferSetup) Close() error { sniffer.pcapHandle.Close() case "af_packet": sniffer.afpacketHandle.Close() - case "pfring", "pf_ring": - sniffer.pfringHandle.Close() } return nil }