<font size=2 face="sans-serif">I saw this thread -- </font><a href="http://lists.openinfosecfoundation.org/pipermail/oisf-users/2010-September/000335.html"><font size=2 face="sans-serif">http://lists.openinfosecfoundation.org/pipermail/oisf-users/2010-September/000335.html</font></a><font size=2 face="sans-serif">
-- and freed up some memory and CPU cycles and I am still getting the errors
although the rate of the errors seems a little reduced than before. I
am also seeing errors like this:</font>
<br>
<br><font size=2 face="sans-serif">[5391] 4/8/2011 -- 10:21:54 - (app-layer-parser.c:955)
<Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error
occured in parsing "tls" app layer protocol, using network protocol
6, source IP address 166.137.14.31, destination IP address <removed>,
src port 20375 and dst port 443</font>
<br><font size=2 face="sans-serif">[5391] 4/8/2011 -- 10:21:54 - (app-layer-htp.c:491)
<Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)]
- Error in parsing HTTP server response: [1] [htp_response.c] [677] Unable
to match response to request</font>
<br>
<br><font size=2 face="sans-serif">I checked the processors' load and memory
usage while Suricata was running and throwing these errors and everything
looked fine (e.g. there were plenty of RAM and CPU cycles to spare).</font>
<br>
<br><font size=2 face="sans-serif">Thanks.</font>
<br>
<br><font size=2 face="sans-serif">-David</font>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">David R. Wharton/Technology/REGIONS</font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">Will Metcalf <william.metcalf@gmail.com></font>
<br><font size=1 color=#5f5f5f face="sans-serif">Cc:
</font><font size=1 face="sans-serif">oisf-devel@openinfosecfoundation.org</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">08/04/2011 10:06 AM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">Re: [Oisf-devel]
<Error> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
error -1</font>
<br>
<hr noshade>
<br>
<br><font size=2 face="sans-serif">Thanks Will. I installed Suricata
version 1.1beta2 (rev b3f7e6a) from git and now I don't get the PF_RING
errors. Now I get tons of App Layer parser errors, similar to the
following, mostly on SSL/TLS connections but I also see it on http and
smtp 'app layer protocol':</font>
<br>
<br><font size=2 face="sans-serif">[4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955)
<Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error
occured in parsing "tls" app layer protocol, using network protocol
6, source IP address 66.255.199.50, destination IP address <removed>,
src port 34481 and dst port 443</font>
<br><font size=2 face="sans-serif">[4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955)
<Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error
occured in parsing "tls" app layer protocol, using network protocol
6, source IP address 153.69.201.240, destination IP address <removed>,
src port 7132 and dst port 443</font>
<br><font size=2 face="sans-serif">[4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955)
<Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error
occured in parsing "http" app layer protocol, using network protocol
6, source IP address <removed>, destination IP address 68.147.232.208,
src port 53771 and dst port 80</font>
<br>
<br><font size=2 face="sans-serif">Thanks.</font>
<br>
<br><font size=2 face="sans-serif">-David</font>
<br>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">Will Metcalf <william.metcalf@gmail.com></font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">David.R.Wharton@regions.com</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Cc:
</font><font size=1 face="sans-serif">oisf-devel@openinfosecfoundation.org</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">08/03/2011 04:35 PM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">Re: [Oisf-devel]
<Error> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
error -1</font>
<br>
<hr noshade>
<br>
<br>
<br><tt><font size=2>You need to upgrade to the latest suricata version
from git. Packets<br>
are now passed as a reference in PF_RING 4.7.1, which required us to<br>
modify suri.<br>
<br>
Regards,<br>
<br>
Will<br>
On Wed, Aug 3, 2011 at 4:30 PM, <David.R.Wharton@regions.com>
wrote:<br>
> I'm trying to get Suricata up and running with PF_RING but I keep
getting a<br>
> pfring_recv error. Here is a snipped from when Suricata starts
up:<br>
><br>
> [13373] 3/8/2011 -- 16:25:22 - (source-pfring.c:313) <Info><br>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,<br>
> interface eth2, cluster-id 99<br>
> [13354] 3/8/2011 -- 16:25:23 - (tm-threads.c:1485) <Info><br>
> (TmThreadWaitOnThreadInit) -- all 11 packet processing threads, 3
management<br>
> threads initialized, engine started.<br>
> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:232) <Error>
(ReceivePfring)<br>
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1<br>
> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:332) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes
0<br>
> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:336) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0<br>
> Drop:0 (nan%).<br>
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info><br>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted<br>
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info><br>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,<br>
> interface eth2, cluster-id 99<br>
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)<br>
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1<br>
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes
0<br>
> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0<br>
> Drop:0 (nan%).<br>
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info><br>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted<br>
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info><br>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,<br>
> interface eth2, cluster-id 99<br>
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)<br>
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1<br>
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes
0<br>
> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0<br>
> Drop:0 (nan%).<br>
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info><br>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted<br>
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info><br>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,<br>
> interface eth2, cluster-id 99<br>
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)<br>
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1<br>
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes
0<br>
> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0<br>
> Drop:0 (nan%).<br>
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info><br>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted<br>
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info><br>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,<br>
> interface eth2, cluster-id 99<br>
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)<br>
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1<br>
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes
0<br>
> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0<br>
> Drop:0 (nan%).<br>
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info><br>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted<br>
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info><br>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,<br>
> interface eth2, cluster-id 99<br>
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)<br>
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1<br>
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes
0<br>
> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0<br>
> Drop:0 (nan%).<br>
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info><br>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted<br>
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info><br>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,<br>
> interface eth2, cluster-id 99<br>
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
(ReceivePfring)<br>
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1<br>
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes
0<br>
> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0<br>
> Drop:0 (nan%).<br>
> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info><br>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted<br>
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:313) <Info><br>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,<br>
> interface eth2, cluster-id 99<br>
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:232) <Error>
(ReceivePfring)<br>
> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1<br>
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:332) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes
0<br>
> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:336) <Info><br>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0<br>
> Drop:0 (nan%).<br>
> [13354] 3/8/2011 -- 16:25:25 - (tm-threads.c:1400) <Info><br>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted<br>
> [13395] 3/8/2011 -- 16:25:25 - (source-pfring.c:307) <Error><br>
> (ReceivePfringThreadInit) -- [ERRCODE:<br>
> SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned
-1 for<br>
> cluster-id: 99<br>
> [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1363) <Info> (main)
-- signal<br>
> received<br>
> [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1414) <Info> (main)
-- time<br>
> elapsed 3s<br>
> [13384] 3/8/2011 -- 16:25:25 - (flow.c:1142) <Info> (FlowManagerThread)
-- 0<br>
> new flows, 0 established flows were timed out, 0 flows in closed state<br>
> [13354] 3/8/2011 -- 16:25:25 - (stream-tcp-reassemble.c:352) <Info><br>
> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly engine<br>
> 11220864 (in use 0)<br>
> [13354] 3/8/2011 -- 16:25:25 - (stream-tcp.c:495) <Info><br>
> (StreamTcpFreeConfig) -- Max memuse of stream engine 4063232 (in use
0)<br>
> [13354] 3/8/2011 -- 16:25:26 - (detect.c:3403) <Info><br>
> (SigAddressCleanupStage1) -- cleaning up signature grouping structure...<br>
> complete<br>
><br>
> I am running PF_RING 4.7.1 ($Revision: 4753$) and Suricata version
1.1beta2.<br>
><br>
> PF_RING seems to be installed OK and I can run the pfcount program
just<br>
> fine:<br>
><br>
> # cat /proc/net/pf_ring/info<br>
> PF_RING Version : 4.7.1 ($Revision: 4753$)<br>
> Ring slots : 4096<br>
> Slot version : 13<br>
> Capture TX : Yes [RX+TX]<br>
> IP Defragment : No<br>
> Socket Mode : Standard<br>
> Transparent mode : Yes (mode 0)<br>
> Total rings : 0<br>
> Total plugins : 0<br>
><br>
><br>
> # ./pfcount -i eth2<br>
> Using PF_RING v.4.7.1<br>
> Capturing from eth2 [00:1B:78:31:F1:A4]<br>
> # Device RX channels: 1<br>
> # Polling threads: 1<br>
> =========================<br>
> Absolute Stats: [49859 pkts rcvd][0 pkts dropped]<br>
> Total Pkts=49859/Dropped=0.0 %<br>
> 49'859 pkts - 28'713'541 bytes<br>
> =========================<br>
><br>
> =========================<br>
> Absolute Stats: [102158 pkts rcvd][0 pkts dropped]<br>
> Total Pkts=102158/Dropped=0.0 %<br>
> 102'158 pkts - 59'531'866 bytes [101'959.38 pkt/sec - 475.33 Mbit/sec]<br>
> =========================<br>
> Actual Stats: 52299 pkts [1'001.94 ms][52'197.37 pkt/sec]<br>
> =========================<br>
><br>
><br>
> Any ideas?<br>
><br>
> Thanks.<br>
><br>
> -David<br>
><br>
><br>
> _______________________________________________<br>
> Oisf-devel mailing list<br>
> Oisf-devel@openinfosecfoundation.org<br>
> </font></tt><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel"><tt><font size=2>http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</font></tt></a><tt><font size=2><br>
><br>
><br>
</font></tt>
<br>