Running Monitor Applications in Passive Mode ============================================ This page describes how one can set up a mOS middlebox in passive (offline) mode. Please note that a monitor application is not in the forwarding path of the monitoring traffic, and therefore cannot drop or manipulate any traffic with this setup. Most intrusion detection systems (IDSes) work in this mode. Environment ----------------------- This section assumes an environment configured as described in the figure below. .. figure:: images/mirror_config.png :align: center :scale: 50 % * Data Network: Any Ethernet network including end hosts that sends and receives traffic with Host 1 located at a unique vantage point where it has access to the ongoing traffic. * Host 1: A host which receives mirrored traffic from a switch placed in between two networks, so that it can monitor flows being exchanged between them. In this example, the host runs :doc:`../samples/midstat`, on mOS stack. It only has one NIC named ``dpdk0``, which is configured to receive mirrored traffic. Configuration Steps ----------------------- Compile and build mOS library and applications ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Follow the guidelines mentioned in :doc:`../walkthrough/03_setup` to set up the mOS net library and the environment. * In this case, the IP address that is assigned to ``dpdk0`` does not matter. You are only required to configure the network (`i.e.`, just type ``ifconfig dpdk0 up``), so that Host 1 can monitor the traffic you want. Refer to :ref:`sample_app`, and make sure that you successfully compile the mOS application. * In Host 1, please compile `midstat`. .. code-block:: console $ cd samples/midstat $ make Setup mOS application configurations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Before running the ``midstat`` application, you need to update a configration file in Host 1. * In Host 1, please configure ``mos.conf`` as below. We assume that Host 1 uses CPU core 0 to 7 for running ``midstat``. Please make sure you set ``forward = 0`` to prevent traffic transmissions. .. code-block:: console ####################### # MOS-RELATED OPTIONS # ####################### mos { forward = 0 ####################### ##### I/O OPTIONS ##### ####################### # number of memory channels per socket [mandatory for DPDK] nb_mem_channels = 4 # devices used for MOS applications [mandatory] netdev { dpdk0 0x00FF } ####################### ### LOGGING OPTIONS ### ####################### # NICs to print network statistics per second # if enabled, mTCP will print xx Gbps and xx pps for RX and TX stat_print = dpdk0 # A directory contains MOS system log files mos_log = logs/ } Run midstat ------------------------- In Host 1, run ``midstat`` with sudo privileges. You should be able to monitor the TCP states of ongoing connections. .. code-block:: console $ sudo ./midstat .. important:: You can run ``midstat`` on top of PCAP. If you are using PCAP, then type ``sudo ./midstat -c 1`` to run. Please note that PCAP version only works with a single CPU core setup. .. warning:: 1. We don't recommend using ``nat`` or ``firewall`` applications in passive mode (traffic is not forwarded). 2. PCAP version of monitoring applications should always be executed with a single core. PCAP I/O does not provide a built-in support for splitting traffic flows *symmetrically* across cores. .. important:: 1. In passive mode, we recommend disabling traffic forwarding. This also means that we do not need to set up a static NIC forward table in M. 2. We recommend that you compile the mOS library and monitor applications with ``-DBE_RESILIENT_TO_PACKET_DROP`` macro for passive mode. .. note:: In case you want to detach dpdk-registered NICs for later PCAP use, we suggest using ``./setup.sh --run-dpdk``. Select option 5 to unbind NICs from DPDK's ``igb_uio`` driver. Also, make sure that you have removed old ``mos.conf`` files from monitoring applications' directories. Troubleshooting ----------------------- If your mOS program crashes, search through the printed log messages to check if you missed any of the following requirements: * You should load only the dpdk-registered interfaces (after loading the ``igb_uio`` driver) and configure hugepages as described in :doc:`../walkthrough/03_setup`. * You should create a log folder specified in ``mos_log`` parameter in ``mos.conf`` (``logs/`` in our example) within the same directory that contains the mOS application binary. * Please check if your system is running out of memory by looking at the memory footprint (OOM errors). If you have memory deficiency issues, please reduce the number of socket buffers in ``mos.conf``. If your mOS application cannot capture any packets, check whether the switch is transmitting mirrored traffic to your network port. * You can check mirrored traffic reception by reloading the default Linux kernel network driver (see the option 5 in :ref:`kernel_module`) and running a passive network tool such as ``tcpdump``. .. warning:: Please note that the mOS stack currently can only run on a CPU processor with 16 CPU cores or less. This restriction will be removed in future versions of the stack. For now, we suggest that the user disables all CPU core IDs > 16 using the ``sysfs`` interface. .. code-block:: console $ cd /sys/devices/system/cpu $ for i in {16..$MAX_CPU} do cd $i echo 0 > online cd .. done We don't recommend using ``nat`` or ``firewall`` applications in passive mode (traffic is not forwarded). Passive Mode for Debugging ----------------------------- In this section, we show how one can set up a mOS middlebox in passive mode but with a different configuration. Packet Replaying ~~~~~~~~~~~~~~~~~~~~~~ .. figure:: images/replay.png :align: center :scale: 45 % Our setup can be configured to receive traffic from a packet replayer that transmits previously recorded packet captures. A likely configuration for this scenario can be a two machine setup (direct connection) as shown in the figure above. Compilation and configuration instructions for setting up the middlebox application are identical to the one mentioned in the sections above. Testing 'midstat' (for non-debugging mode only) --------------------------------------------------- You can pick two nodes on either side of Host 1 that can be used as TCP server and client applications. A typical server application can be a web server (see http://nginx.org or http://www.apache.org for further information) or simple evaluation tool such as nuttcp_ (server mode). A typical client application can be a web client (see https://www.gnu.org/software/wget/) or nuttcp_ (client mode). .. _Sample Applications User Guide: ../samples/index.html .. _nuttcp: http://www.nuttcp.net/Welcome%20Page.html .. _Configuration Parameter Tuning: 05_configuration.html .. _Sample Applications User Guide: ../samples/index.html .. _`3.2.3`: ./03_build_inline.html#decompress-mos-package-on-m