ntopng shows no traffic after upgrade; tcpdump also affected

[hoomanv]

Summary

ntopng worked fine before the upgrade and was able to monitor traffic on all interfaces listed below:

# pf_ringcfg --list-interfaces
Name: ens32                Driver: e1000      RSS:     1    [Linux Driver]
Name: ens34                Driver: e1000      RSS:     1    [Linux Driver]
Name: ens35                Driver: e1000      RSS:     1    [Linux Driver]
Name: ppp0                 Driver: ppp        RSS: Unknown  [Linux Driver]
Name: ppp1                 Driver: ppp        RSS: Unknown  [Linux Driver]
Name: tun0                 Driver: tun        RSS: Unknown  [Linux Driver]
Name: tun1                 Driver: tun        RSS: Unknown  [Linux Driver]

After upgrading ntopng, PF_RING, and the kernel, ntopng no longer sees traffic on any interface, including both Ethernet and tunnel interfaces.

Additional Observations

• tcpdump also fails to capture on ens32, but it can capture on ppp0, tun0, and even on enp2s0 (the altname of ens32):

# ip link show ens32
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:02:07:f1 brd ff:ff:ff:ff:ff:ff
    altname enp2s0

• Both versions of tcpdump (/usr/sbin/tcpdump and the one from PF_RING at /usr/local/bin/tcpdump) and pf_ringcfg report the same interface names and status:

[root@kappa ~]# tcpdump -D
1.ens32 [Up, Running, Connected]
2.ens34 [Up, Running, Connected]
3.ens35 [Up, Running, Connected]
4.ppp0 [Up, Running]
5.ppp1 [Up, Running]
6.tun0 [Up, Running, Connected]
8.tun1 [Up, Running, Connected]

• However, /usr/sbin/tcpdump (the system version) is now linked against PF_RING’s libpcap after installing PF_RING:

# ldd /usr/sbin/tcpdump | grep pcap
        libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fda4fd2e000)

After removing PF_RING, the system's tcpdump reverts to using the default system libpcap, and capturing on ens32 works again:

# ldd /usr/sbin/tcpdump | grep pcap
        libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f7d915f7000)

Version Details

Before upgrade:

• ntopng: 6.4.250515-25785.x86_64
• pfring: 9.0.0-9896.x86_64
• kernel: 5.14.0-554.el9.x86_64

After upgrade:

• ntopng: 6.4.250708-26098.x86_64
• pfring: 9.0.0-10070.x86_64
• kernel: 5.14.0-572.el9.x86_64

System Info

• OS: CentOS Stream 9
• No ZC (zero-copy) drivers installed
• Interfaces use the standard e1000 driver

[swtar]

你好，邮件已收到！

[cardigliano]

Could you provide the output of "pfcount -i ens32"? (A few lines)

[hoomanv]

# pfcount -i ens32
Using PF_RING v.9.0.0.250610 kernel module v.9.0.0
Dumping statistics on /proc/net/pf_ring/stats/486814-ens32.34
Capturing from ens32 [mac: 00:0C:29:02:07:F1][if_index: 2][speed: 1000Mb/s]
# Device RX channels: 1
# Polling threads:    1
=========================
Absolute Stats: [0 pkts total][0 pkts dropped][0.0% dropped]
[0 pkts rcvd][0 bytes rcvd]
=========================

=========================
Absolute Stats: [0 pkts total][0 pkts dropped][0.0% dropped]
[0 pkts rcvd][0 bytes rcvd][0.00 pkt/sec][0.00 Mbit/sec]
=========================
Actual Stats: [0 pkts rcvd][1'000.19 ms][0.00 pps][0.00 Gbps]
=========================

=========================
Absolute Stats: [0 pkts total][0 pkts dropped][0.0% dropped]
[0 pkts rcvd][0 bytes rcvd][0.00 pkt/sec][0.00 Mbit/sec]
=========================
Actual Stats: [0 pkts rcvd][1'000.20 ms][0.00 pps][0.00 Gbps]
=========================

Nothing is captured

[cardigliano]

Do you see any related log in dmesg when you start the application?

[hoomanv]

Do you see any related log in dmesg when you start the application?

[420599.769135] e1000 0000:02:00.0 ens32: entered promiscuous mode
[420606.778361] e1000 0000:02:00.0 ens32: left promiscuous mode

[cardigliano]

Still able to reproduce this with the latest pf_ring module?