[Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
Will Metcalf
william.metcalf at gmail.com
Thu Aug 4 19:52:14 UTC 2011
Since VictorJ is on vaca, if somebody wants an early fix to test here
you go... Also included is a new PF_RING "single" run mode which at
least in my testing performs better when threads setting for PF_RING
is > 1 over autofp. You can test by enabling setting runmode to
single in the suricata.yaml.
Regards,
Will
On Thu, Aug 4, 2011 at 11:49 AM, Chris Wakelin
<c.d.wakelin at reading.ac.uk> wrote:
> On 04/08/11 17:36, Peter Manev wrote:
>> Hi,
>> Can you please try the following:
>> 1. Increase the MTU to 1522
>
> Yes, trying that now with native PF_RING, but doesn't seem to make any
> difference.
>
>> 2. Can you try to point suricata to listen to the VLAN interface directly
>> for example: suricata -c /etc/suricata/yaml -i eth0.15
>
> Only inbound packets are VLAN-tagged, e.g. ARGUS ratop shows
>
>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State sVlan dVlan
>> 17:38:42.013921 M s tcp xxx.xxx.216.22.22 <?> 134.225.yyy.yyy.60262 187072 234694540 E 0x0fa1
>> 17:38:43.533109 M s tcp xxx.xxx.216.23.22 <?> 134.225.yyy.yyy.58316 86514 112270100 E 0x0fa1
>> 17:38:42.749149 M * tcp 134.225.uuu.uuu.36552 -> vvv.vvv.134.84.80 82389 84852685 sSE 0x0fa1
>
> I think if I tried -i eth1.64001 I'd miss half the traffic?
>
>> 3. is there any difference?
>> 4. A pcap would be helpful to further explore the issue (should you
>> consider).
>
> Most of the packets aren't flagging errors, so it's a bit of a needle in
> a haystack. I have a couple that I sent to Will that gave AppLayerParse
> errors in "http" when using native PF_RING but not PF_RING-enabled
> libpcap. Increasing MTU from the default (1514 presumably) to 1515 fixed
> them :)
>
> Best Wishes,
> Chris
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-PF_RING-off-by-one-error-when-dealing-with-a-ful.patch
Type: application/octet-stream
Size: 7183 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110804/e81e7bc3/attachment.obj>
More information about the Oisf-devel
mailing list