[Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
David.R.Wharton at regions.com
David.R.Wharton at regions.com
Thu Aug 4 15:30:40 UTC 2011
I saw this thread --
http://lists.openinfosecfoundation.org/pipermail/oisf-users/2010-September/000335.html
-- and freed up some memory and CPU cycles and I am still getting the
errors although the rate of the errors seems a little reduced than before.
I am also seeing errors like this:
[5391] 4/8/2011 -- 10:21:54 - (app-layer-parser.c:955) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
parsing "tls" app layer protocol, using network protocol 6, source IP
address 166.137.14.31, destination IP address <removed>, src port 20375
and dst port 443
[5391] 4/8/2011 -- 10:21:54 - (app-layer-htp.c:491) <Error>
(HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in
parsing HTTP server response: [1] [htp_response.c] [677] Unable to match
response to request
I checked the processors' load and memory usage while Suricata was running
and throwing these errors and everything looked fine (e.g. there were
plenty of RAM and CPU cycles to spare).
Thanks.
-David
From: David R. Wharton/Technology/REGIONS
To: Will Metcalf <william.metcalf at gmail.com>
Cc: oisf-devel at openinfosecfoundation.org
Date: 08/04/2011 10:06 AM
Subject: Re: [Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE:
SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
Thanks Will. I installed Suricata version 1.1beta2 (rev b3f7e6a) from git
and now I don't get the PF_RING errors. Now I get tons of App Layer
parser errors, similar to the following, mostly on SSL/TLS connections but
I also see it on http and smtp 'app layer protocol':
[4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
parsing "tls" app layer protocol, using network protocol 6, source IP
address 66.255.199.50, destination IP address <removed>, src port 34481
and dst port 443
[4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
parsing "tls" app layer protocol, using network protocol 6, source IP
address 153.69.201.240, destination IP address <removed>, src port 7132
and dst port 443
[4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
parsing "http" app layer protocol, using network protocol 6, source IP
address <removed>, destination IP address 68.147.232.208, src port 53771
and dst port 80
Thanks.
-David
From: Will Metcalf <william.metcalf at gmail.com>
To: David.R.Wharton at regions.com
Cc: oisf-devel at openinfosecfoundation.org
Date: 08/03/2011 04:35 PM
Subject: Re: [Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE:
SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
You need to upgrade to the latest suricata version from git. Packets
are now passed as a reference in PF_RING 4.7.1, which required us to
modify suri.
Regards,
Will
On Wed, Aug 3, 2011 at 4:30 PM, <David.R.Wharton at regions.com> wrote:
> I'm trying to get Suricata up and running with PF_RING but I keep
getting a
> pfring_recv error. Here is a snipped from when Suricata starts up:
>
> [13373] 3/8/2011 -- 16:25:22 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13354] 3/8/2011 -- 16:25:23 - (tm-threads.c:1485) <Info>
> (TmThreadWaitOnThreadInit) -- all 11 packet processing threads, 3
management
> threads initialized, engine started.
> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth2, cluster-id 99
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:232) <Error>
(ReceivePfring)
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (nan%).
> [13354] 3/8/2011 -- 16:25:25 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [13395] 3/8/2011 -- 16:25:25 - (source-pfring.c:307) <Error>
> (ReceivePfringThreadInit) -- [ERRCODE:
> SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned -1
for
> cluster-id: 99
> [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1363) <Info> (main) -- signal
> received
> [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1414) <Info> (main) -- time
> elapsed 3s
> [13384] 3/8/2011 -- 16:25:25 - (flow.c:1142) <Info> (FlowManagerThread)
-- 0
> new flows, 0 established flows were timed out, 0 flows in closed state
> [13354] 3/8/2011 -- 16:25:25 - (stream-tcp-reassemble.c:352) <Info>
> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly engine
> 11220864 (in use 0)
> [13354] 3/8/2011 -- 16:25:25 - (stream-tcp.c:495) <Info>
> (StreamTcpFreeConfig) -- Max memuse of stream engine 4063232 (in use 0)
> [13354] 3/8/2011 -- 16:25:26 - (detect.c:3403) <Info>
> (SigAddressCleanupStage1) -- cleaning up signature grouping structure...
> complete
>
> I am running PF_RING 4.7.1 ($Revision: 4753$) and Suricata version
1.1beta2.
>
> PF_RING seems to be installed OK and I can run the pfcount program just
> fine:
>
> # cat /proc/net/pf_ring/info
> PF_RING Version : 4.7.1 ($Revision: 4753$)
> Ring slots : 4096
> Slot version : 13
> Capture TX : Yes [RX+TX]
> IP Defragment : No
> Socket Mode : Standard
> Transparent mode : Yes (mode 0)
> Total rings : 0
> Total plugins : 0
>
>
> # ./pfcount -i eth2
> Using PF_RING v.4.7.1
> Capturing from eth2 [00:1B:78:31:F1:A4]
> # Device RX channels: 1
> # Polling threads: 1
> =========================
> Absolute Stats: [49859 pkts rcvd][0 pkts dropped]
> Total Pkts=49859/Dropped=0.0 %
> 49'859 pkts - 28'713'541 bytes
> =========================
>
> =========================
> Absolute Stats: [102158 pkts rcvd][0 pkts dropped]
> Total Pkts=102158/Dropped=0.0 %
> 102'158 pkts - 59'531'866 bytes [101'959.38 pkt/sec - 475.33 Mbit/sec]
> =========================
> Actual Stats: 52299 pkts [1'001.94 ms][52'197.37 pkt/sec]
> =========================
>
>
> Any ideas?
>
> Thanks.
>
> -David
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110804/21f2b989/attachment-0002.html>
More information about the Oisf-devel
mailing list