[Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
David.R.Wharton at regions.com
David.R.Wharton at regions.com
Thu Aug 4 15:06:27 UTC 2011
Thanks Will. I installed Suricata version 1.1beta2 (rev b3f7e6a) from git
and now I don't get the PF_RING errors. Now I get tons of App Layer
parser errors, similar to the following, mostly on SSL/TLS connections but
I also see it on http and smtp 'app layer protocol':
[4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
parsing "tls" app layer protocol, using network protocol 6, source IP
address 66.255.199.50, destination IP address <removed>, src port 34481
and dst port 443
[4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
parsing "tls" app layer protocol, using network protocol 6, source IP
address 153.69.201.240, destination IP address <removed>, src port 7132
and dst port 443
[4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
parsing "http" app layer protocol, using network protocol 6, source IP
address <removed>, destination IP address 68.147.232.208, src port 53771
and dst port 80
Thanks.
-David
From: Will Metcalf <william.metcalf at gmail.com>
To: David.R.Wharton at regions.com
Cc: oisf-devel at openinfosecfoundation.org
Date: 08/03/2011 04:35 PM
Subject: Re: [Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE:
SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
You need to upgrade to the latest suricata version from git. Packets
are now passed as a reference in PF_RING 4.7.1, which required us to
modify suri.
Regards,
Will
On Wed, Aug 3, 2011 at 4:30 PM, <David.R.Wharton at regions.com> wrote:
> I'm trying to get Suricata up and running with PF_RING but I keep
getting a
> pfring_recv error. Here is a snipped from when Suricata starts up:
>
> [13373] 3/8/2011 -- 16:25:22 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13354] 3/8/2011 -- 16:25:23 - (tm-threads.c:1485) <Info>
> (TmThreadWaitOnThreadInit) -- all 11 packet processing threads, 3
management
> threads initialized, engine started.
> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:25 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13395] 3/8/2011 -- 16:25:25 - (source-pfring.c:307) <Error>
> (ReceivePfringThreadInit) -- [ERRCODE:
> SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned -1
for
> cluster-id: 99
> [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1363) <Info> (main) -- signal
> received
> [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1414) <Info> (main) -- time
> elapsed 3s
> [13384] 3/8/2011 -- 16:25:25 - (flow.c:1142) <Info> (FlowManagerThread)
-- 0
> new flows, 0 established flows were timed out, 0 flows in closed state
> [13354] 3/8/2011 -- 16:25:25 - (stream-tcp-reassemble.c:352) <Info>
> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly engine
> 11220864 (in use 0)
> [13354] 3/8/2011 -- 16:25:25 - (stream-tcp.c:495) <Info>
> (StreamTcpFreeConfig) -- Max memuse of stream engine 4063232 (in use 0)
> [13354] 3/8/2011 -- 16:25:26 - (detect.c:3403) <Info>
> (SigAddressCleanupStage1) -- cleaning up signature grouping structure...
> complete
>
> I am running PF_RING 4.7.1 ($Revision: 4753$) and Suricata version
1.1beta2.
>
> PF_RING seems to be installed OK and I can run the pfcount program just
> fine:
>
> # cat /proc/net/pf_ring/info
> PF_RING Version : 4.7.1 ($Revision: 4753$)
> Ring slots : 4096
> Slot version : 13
> Capture TX : Yes [RX+TX]
> IP Defragment : No
> Socket Mode : Standard
> Transparent mode : Yes (mode 0)
> Total rings : 0
> Total plugins : 0
>
>
> # ./pfcount -i eth2
> Using PF_RING v.4.7.1
> Capturing from eth2 [00:1B:78:31:F1:A4]
> # Device RX channels: 1
> # Polling threads: 1
> =========================
> Absolute Stats: [49859 pkts rcvd][0 pkts dropped]
> Total Pkts=49859/Dropped=0.0 %
> 49'859 pkts - 28'713'541 bytes
> =========================
>
> =========================
> Absolute Stats: [102158 pkts rcvd][0 pkts dropped]
> Total Pkts=102158/Dropped=0.0 %
> 102'158 pkts - 59'531'866 bytes [101'959.38 pkt/sec - 475.33 Mbit/sec]
> =========================
> Actual Stats: 52299 pkts [1'001.94 ms][52'197.37 pkt/sec]
> =========================
>
>
> Any ideas?
>
> Thanks.
>
> -David
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110804/a495babf/attachment-0002.html>
More information about the Oisf-devel
mailing list