[Oisf-users] Problem when running suricata with PF_RING

Will Metcalf william.metcalf at gmail.com
Tue Nov 16 12:42:39 UTC 2010 

Hmm, Yes I did indeed try.  There was a bug in PF_RING that I reported
to Luca and was fixed and now it works properly.  Are you still
getting the same error message?  Perhaps you should use dkms to remove
any versions of PF_RING modules you have installed.  Once you have
done this nuke the /opt/PF_RING/ dir and restart the install procedure
from scratch.

Regards,

Will

On Tue, Nov 16, 2010 at 3:20 AM, Sylvain Chillaud
<sylvain.chillaud at gmail.com> wrote:
> bump
>
> I've been trying with the latest rev of PF_RING but I still get the same
> error.
>
> Did you give it a try, Will ?
>
> 2010/10/5 Will Metcalf <william.metcalf at gmail.com>
>>
>> Thats what it sounds like to me as well. Whenever I get 20 minutes or
>> so I can try to build on my end from the latest PF_RING version.
>>
>> Regards,
>>
>> Will
>>
>> On Tue, Oct 5, 2010 at 8:04 AM, Victor Julien <victor at inliniac.net> wrote:
>> > Sylvain Chillaud wrote:
>> >> Hello,
>> >>
>> >> I've been trying to install suricata with pf_ring, following the
>> >> instructions in INSTALL.PF_RING in the doc directory of the
>> >> suricata-1.0.2 tarball (and the giude on the oisf website).
>> >> I've managed to configure and compile it, but when running it I get the
>> >> following errors :
>> >>
>> >>
>> >> /[16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:248) <Info>
>> >> (ReceivePfringThreadInit) -- Going to use cluster-id 99
>> >> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:255) <Info>
>> >> (ReceivePfringThreadInit) -- going to use interface eth2
>> >> Wrong RING version: kernel is 12, libpfring was compiled with 9
>> >> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:260) <Error>
>> >> (ReceivePfringThreadInit) -- [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
>> >> pfring_open error
>> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:370) <Info>
>> >> (StreamTcpInitConfig) -- stream "max_sessions": 262144
>> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:382) <Info>
>> >> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
>> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:392) <Info>
>> >> (StreamTcpInitConfig) -- stream "memcap": 33554432
>> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:399) <Info>
>> >> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
>> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:407) <Info>
>> >> (StreamTcpInitConfig) -- stream "async_oneside": disabled
>> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:416) <Info>
>> >> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
>> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:436) <Info>
>> >> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
>> >> [16781] 5/10/2010 -- 12:11:47 - (tm-threads.c:1416) <Error>
>> >> (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] -
>> >> thread
>> >> "ReceivePfring" closed on initialization.
>> >> [16781] 5/10/2010 -- 12:11:47 - (suricata.c:1128) <Error> (main) --
>> >> [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed,
>> >> aborting.../
>> >>
>> >>
>> >>
>> >> The server is not a clean server (as in : just installed), there are
>> >> other applications on it, including a snort.
>> >> It is a debian 5 lenny, kernel 2.6.26-2-amd64.
>> >>
>> >> I used aptitude to upgrade/install the packages needed, got some errors
>> >> with libpcap-dev and libpcap0.8-dev (as if the files were corrupted, it
>> >> couldn't open them), but these are said to be required for the install
>> >> without pf_ring as well, and suricata without pf_ring options started
>> >> all right anyway, so I guessed it was ok.
>> >>
>> >> But when installing and using pfring options (/suricata --pfring-int
>> >> eth1 --pfring-cluster-id=99 --pfring-cluster-type cluster_flow -c
>> >> /etc/suricata/suricata.yaml/), I get these error messages.
>> >> PF_RING is the last version I could get at
>> >> /https://svn.ntop.org/svn/ntop/trunk/PF_RING// though I got it via a
>> >> windows svn and not via the server(I don't think it changes anything,
>> >> though).
>> >>
>> >> I've searched but have not found any reference to the errcode or any of
>> >> the other error messages, thus I'd like to ask if someone have an idea
>> >> of the problem.
>> >
>> > This error "Wrong RING version: kernel is 12, libpfring was compiled
>> > with 9" sounds pretty serious to me. Mismatch between kernel pfring
>> > version and the userland lib?
>> >
>> > Cheers,
>> > Victor
>> > --
>> > ---------------------------------------------
>> > Victor Julien
>> > http://www.inliniac.net/
>> > PGP: http://www.inliniac.net/victorjulien.asc
>> > ---------------------------------------------
>> >
>> > _______________________________________________
>> > Oisf-users mailing list
>> > Oisf-users at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>
>

More information about the Oisf-users mailing list