[Oisf-devel] Latest 2.0dev (rev 68ba9df) + PF_RING (+DNA+libzero) = no HTTP logs

Victor Julien victor at inliniac.net
Tue Sep 24 14:33:49 UTC 2013 

On 09/24/2013 04:30 PM, Chris Wakelin wrote:
> Hi,
> 
> I may be doing something wrong, but I've just tried this morning's git
> master (rev 68ba9df - i.e. just before the SSL updates - compiled with
> my current PF_RING, version 5.6.0) on the student network and it seems
> to failing to log any HTTP (or HTTP alerts). There were some UDP alerts
> though.
> 
> The previous version, from 22nd July - 2.0dev (rev 055b422) is fine
> (though sometimes misses fields in the filestore .meta files).
> 
> At first, I wasn't convinced about the fix for DNA ignoring
> PF_RING_LONG_HEADER, namely that this flag is only needed when checksums
> are enabled (which they aren't in my case), so I tried my own fix of
> calling pfring_parse_pkt in the PfringProcessPacket function (which I've
> been doing since July, together with the extra PF_RING_DNA_SYMMETRIC_RSS
> flag which may help for ordinary DNA rather than DNA + libzero) :-
> 
> --- src/source-pfring.c.orig    2013-09-12 18:49:30.940770018 +0100
> +++ src/source-pfring.c 2013-09-24 15:17:47.334061588 +0100
> @@ -209,6 +209,14 @@
> 
>      PfringThreadVars *ptv = (PfringThreadVars *)user;
> 
> +    /* DNA interfaces ignore the PF_RING_LONG_HEADER flag
> +     * so force parsing of the packet here
> +     * up to level 4 and add timestamp */
> +    if (strncmp(ptv->interface, "dna", 3) == 0) {
> +        memset((void*)&h->extended_hdr.parsed_pkt, 0, sizeof(struct
> pkt_parsing_info));
> +        pfring_parse_pkt((char *)GET_PKT_DIRECT_DATA(p), h, 4, 1, 0);
> +    }
> +
>      ptv->bytes += h->caplen;
>      ptv->pkts++;
>      (void) SC_ATOMIC_ADD(ptv->livedev->pkts, 1);
> @@ -388,6 +396,11 @@
> 
>      opflag = PF_RING_REENTRANT | PF_RING_PROMISC;
> 
> +    if (strncmp(ptv->interface, "dna", 3) == 0) {
> +        opflag |= PF_RING_DNA_SYMMETRIC_RSS;
> +    }
> +
> +
>      if (ptv->checksum_mode == CHECKSUM_VALIDATION_RXONLY) {
>          if (strncmp(ptv->interface, "dna", 3) == 0) {
>              SCLogWarning(SC_ERR_INVALID_VALUE,
> 
> However, this made no difference.
> 
> I did update libhtp to latest git as well (so version 0.5.7+) but I
> think there have been minimal changes.
> 
> Running Suricata against a pcap is fine, so it does seem to be a PF_RING
> issue.

One thing I can think of is vlan handling. We recently added vlan
tracking for flows. It can be disabled in the yaml:

vlan:
  use-for-tracking: true

It defaults to 'true' if missing.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list