[Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1

Peter Manev petermanev at gmail.com
Thu Aug 4 15:33:27 UTC 2011 

On Thu, Aug 4, 2011 at 5:30 PM, <David.R.Wharton at regions.com> wrote:

> I saw this thread --
> http://lists.openinfosecfoundation.org/pipermail/oisf-users/2010-September/000335.html-- and freed up some memory and CPU cycles and I am still getting the errors
> although the rate of the errors seems a little reduced than before.  I am
> also seeing errors like this:
>
> [5391] 4/8/2011 -- 10:21:54 - (app-layer-parser.c:955) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "tls" app layer protocol, using network protocol 6, source IP address
> 166.137.14.31, destination IP address <removed>, src port 20375 and dst port
> 443
> [5391] 4/8/2011 -- 10:21:54 - (app-layer-htp.c:491) <Error>
> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP server response: [1] [htp_response.c] [677] Unable to match response to
> request
>
> I checked the processors' load and memory usage while Suricata was running
> and throwing these errors and everything looked fine (e.g. there were plenty
> of RAM and CPU cycles to spare).
>
> Thanks.
>
> -David
>
>
>
> From:        David R. Wharton/Technology/REGIONS
> To:        Will Metcalf <william.metcalf at gmail.com>
> Cc:        oisf-devel at openinfosecfoundation.org
> Date:        08/04/2011 10:06 AM
> Subject:        Re: [Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE:
> SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> ------------------------------
>
>
> Thanks Will.  I installed Suricata version 1.1beta2 (rev b3f7e6a) from git
> and now I don't get the PF_RING errors.  Now I get tons of App Layer parser
> errors, similar to the following, mostly on SSL/TLS connections but I also
> see it on http and smtp 'app layer protocol':
>
> [4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "tls" app layer protocol, using network protocol 6, source IP address
> 66.255.199.50, destination IP address <removed>, src port 34481 and dst
> port 443
> [4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "tls" app layer protocol, using network protocol 6, source IP address
> 153.69.201.240, destination IP address <removed>, src port 7132 and dst port
> 443
> [4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> <removed>, destination IP address 68.147.232.208, src port 53771 and dst
> port 80
>
> Thanks.
>
> -David
>
>
>
>
> From:        Will Metcalf <william.metcalf at gmail.com>
> To:        David.R.Wharton at regions.com
> Cc:        oisf-devel at openinfosecfoundation.org
> Date:        08/03/2011 04:35 PM
> Subject:        Re: [Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE:
> SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> ------------------------------
>
>
>
> You need to upgrade to the latest suricata version from git. Packets
> are now passed as a reference in PF_RING 4.7.1, which required us to
> modify suri.
>
> Regards,
>
> Will
> On Wed, Aug 3, 2011 at 4:30 PM,  <David.R.Wharton at regions.com> wrote:
> > I'm trying to get Suricata up and running with PF_RING but I keep getting
> a
> > pfring_recv error.  Here is a snipped from when Suricata starts up:
> >
> > [13373] 3/8/2011 -- 16:25:22 - (source-pfring.c:313) <Info>
> > (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> > interface eth2, cluster-id 99
> > [13354] 3/8/2011 -- 16:25:23 - (tm-threads.c:1485) <Info>
> > (TmThreadWaitOnThreadInit) -- all 11 packet processing threads, 3
> management
> > threads initialized, engine started.
> > [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:232) <Error>
> (ReceivePfring)
> > -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
> > [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:332) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> > [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:336) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> > Drop:0 (nan%).
> > [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> > (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> > [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> > (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> > interface eth2, cluster-id 99
> > [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
> (ReceivePfring)
> > -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
> > [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> > [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> > Drop:0 (nan%).
> > [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> > (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> > [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> > (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> > interface eth2, cluster-id 99
> > [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
> (ReceivePfring)
> > -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
> > [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> > [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> > Drop:0 (nan%).
> > [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> > (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> > [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> > (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> > interface eth2, cluster-id 99
> > [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
> (ReceivePfring)
> > -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
> > [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> > [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> > Drop:0 (nan%).
> > [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> > (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> > [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> > (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> > interface eth2, cluster-id 99
> > [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
> (ReceivePfring)
> > -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
> > [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> > [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> > Drop:0 (nan%).
> > [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> > (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> > [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> > (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> > interface eth2, cluster-id 99
> > [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
> (ReceivePfring)
> > -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
> > [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> > [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> > Drop:0 (nan%).
> > [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> > (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> > [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
> > (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> > interface eth2, cluster-id 99
> > [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
> (ReceivePfring)
> > -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
> > [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> > [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> > Drop:0 (nan%).
> > [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
> > (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> > [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:313) <Info>
> > (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> > interface eth2, cluster-id 99
> > [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:232) <Error>
> (ReceivePfring)
> > -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
> > [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:332) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> > [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:336) <Info>
> > (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> > Drop:0 (nan%).
> > [13354] 3/8/2011 -- 16:25:25 - (tm-threads.c:1400) <Info>
> > (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> > [13395] 3/8/2011 -- 16:25:25 - (source-pfring.c:307) <Error>
> > (ReceivePfringThreadInit) -- [ERRCODE:
> > SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned -1
> for
> > cluster-id: 99
> > [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1363) <Info> (main) -- signal
> > received
> > [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1414) <Info> (main) -- time
> > elapsed 3s
> > [13384] 3/8/2011 -- 16:25:25 - (flow.c:1142) <Info> (FlowManagerThread)
> -- 0
> > new flows, 0 established flows were timed out, 0 flows in closed state
> > [13354] 3/8/2011 -- 16:25:25 - (stream-tcp-reassemble.c:352) <Info>
> > (StreamTcpReassembleFree) -- Max memuse of the stream reassembly engine
> > 11220864 (in use 0)
> > [13354] 3/8/2011 -- 16:25:25 - (stream-tcp.c:495) <Info>
> > (StreamTcpFreeConfig) -- Max memuse of stream engine 4063232 (in use 0)
> > [13354] 3/8/2011 -- 16:25:26 - (detect.c:3403) <Info>
> > (SigAddressCleanupStage1) -- cleaning up signature grouping structure...
> > complete
> >
> > I am running PF_RING 4.7.1 ($Revision: 4753$) and Suricata version
> 1.1beta2.
> >
> > PF_RING seems to be installed OK and I can run the pfcount program just
> > fine:
> >
> > # cat /proc/net/pf_ring/info
> > PF_RING Version     : 4.7.1 ($Revision: 4753$)
> > Ring slots          : 4096
> > Slot version        : 13
> > Capture TX          : Yes [RX+TX]
> > IP Defragment       : No
> > Socket Mode         : Standard
> > Transparent mode    : Yes (mode 0)
> > Total rings         : 0
> > Total plugins       : 0
> >
> >
> > # ./pfcount -i eth2
> > Using PF_RING v.4.7.1
> > Capturing from eth2 [00:1B:78:31:F1:A4]
> > # Device RX channels: 1
> > # Polling threads:    1
> > =========================
> > Absolute Stats: [49859 pkts rcvd][0 pkts dropped]
> > Total Pkts=49859/Dropped=0.0 %
> > 49'859 pkts - 28'713'541 bytes
> > =========================
> >
> > =========================
> > Absolute Stats: [102158 pkts rcvd][0 pkts dropped]
> > Total Pkts=102158/Dropped=0.0 %
> > 102'158 pkts - 59'531'866 bytes [101'959.38 pkt/sec - 475.33 Mbit/sec]
> > =========================
> > Actual Stats: 52299 pkts [1'001.94 ms][52'197.37 pkt/sec]
> > =========================
> >
> >
> > Any ideas?
> >
> > Thanks.
> >
> > -David
> >
> >
> > _______________________________________________
> > Oisf-devel mailing list
> > Oisf-devel at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >
> >
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
Hi Dave,

We have experienced similar err before but there are not exactly err - it is
just Suri saying there is some bytes missing or a segment missing in the
stream- it is more of an informational aler, than err.

For example we had a similar situation where Suricata wa deployed on an
interface with a couple of VLANs - and it was generating a bunch of the fore
mentioned APP_err, because it was listening on the general interface not on
the VLAN specific interfaces (instead of  eth0.55 or eth0.37 it was
listening just on eth0, therefore not being happy about the 4 byte VLAN tag,
which it was not aware of since it was not listening on the correct
interface.) or you can also get that if suricata listens on a trunk port of
VLANs where every VLAN is taged(instead of listening on a particular
VLAN/s).
It will still inspect traffic.
I presume your case is similar to that but as you mentioned with SSL/TLS.
These err can also happen if there is a missing segment in the stream.

If you feel comfortable, you can privately send a pcap - so that we can
confirm that this is the case and we are not missing something.

Thanks

-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110804/989e378f/attachment-0002.html>

More information about the Oisf-devel mailing list