<p dir="ltr">Make sure you build the libpcap that comes with the pf_ring source code and link to that when building suricata.</p>
<div class="gmail_quote">On Sep 22, 2015 9:48 PM, "Spransy, Derek" <<a href="mailto:dsprans@emory.edu">dsprans@emory.edu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks Jason. Would you also mind sharing the configure statement you used? I updated all of the pf_ring modules to the latest nightly build. Configure now gets past the pf_ring linking stage (maybe a previous pf_ring install issue?) without the LIBS variable being defined, but it's still failing with libcap-ng-devel and nspr-devel.<br>
<br>
checking for capng_clear in -lcap-ng... no<br>
<br>
WARNING! libcap-ng library not found, go get it<br>
from <a href="http://people.redhat.com/sgrubb/libcap-ng/" rel="noreferrer" target="_blank">http://people.redhat.com/sgrubb/libcap-ng/</a><br>
or your distribution:<br>
<br>
Ubuntu: apt-get install libcap-ng-dev<br>
Fedora: yum install libcap-ng-devel<br>
<br>
Suricata will be built without support for dropping privs.<br>
<br>
checking for libnspr... yes<br>
checking nspr.h usability... yes<br>
checking nspr.h presence... yes<br>
checking for nspr.h... yes<br>
checking for PR_GetCurrentThread in -lnspr4... no<br>
<br>
ERROR! libnspr library not found, go get it<br>
from Mozilla or your distribution:<br>
<br>
Ubuntu: apt-get install libnspr4-dev<br>
Fedora: yum install nspr-devel<br>
<br>
However, interestingly, if I compile suricate 2.1beta4 it compiles without issue. Does anyone know if something changed in the linking for these two modules between 2.0.8 and 2.1beta?<br>
<br>
________________________________________<br>
From: Spransy, Derek<br>
Sent: Tuesday, September 22, 2015 9:22 AM<br>
To: Jason Ish<br>
Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] Suricata compilation issues with pf_ring<br>
<br>
Hi Jason,<br>
<br>
Can you share which pf_ring packages you've used? I've also installed pf_ring via packages rather than compiling. Here's what I currently have installed:<br>
<br>
pfring-6.1.1-58.x86_64<br>
pfring-drivers-zc-dkms-1.2-0.noarch<br>
pfring-dkms-6.1.1-156.noarch<br>
e1000e-zc-3.0.4.1.162-1dkms.noarch.rpm<br>
i40e-zc-1.1.23.162-1dkms.noarch.rpm<br>
pfring-drivers-zc-dkms-1.2-0.noarch.rpm<br>
igb-zc-5.2.5.162-1dkms.noarch.rpm<br>
ixgbe-zc-3.22.3.156-1dkms.noarch.rpm<br>
<br>
Thanks<br>
<br>
________________________________________<br>
From: <a href="mailto:lists@ish.cx">lists@ish.cx</a> <<a href="mailto:lists@ish.cx">lists@ish.cx</a>> on behalf of Jason Ish <<a href="mailto:lists@unx.ca">lists@unx.ca</a>><br>
Sent: Monday, September 21, 2015 5:15 PM<br>
To: Spransy, Derek<br>
Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] Suricata compilation issues with pf_ring<br>
<br>
On Mon, Sep 21, 2015 at 12:53 PM, Spransy, Derek <<a href="mailto:dsprans@emory.edu">dsprans@emory.edu</a>> wrote:<br>
> Hello all,<br>
><br>
> My apologies if this has been asked and answered previously, but I'm new to the list. I'm attempting to compile Suricata 2.0.8 on RHEL 7 with pf_ring (zero-copy) support. I encountered some problems while running configure during the linking of the pf_ring libraries. I found another listserv post that suggested setting LIBS="-lrt -lnuma" prior to running configure. This does indeed get me past the problems linking pf_ring, but later on I believe it causes issues with linking libpcap and file. The necessary packages are installed, and if I compile Suricata without pf_ring support, everything configures and compiles as expected.<br>
><br>
> Here's a link to the output that I get when I compile with the LIBS variable defined, and without:<br>
> <a href="https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpastebin.com%2f8TfCAJQ3&data=01%7c01%7cdsprans%40emory.edu%7cac5588eb7ee8415de6bf08d2c2c9bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=6bpl2CgNcGTShjQont1TDbus3VZ0YzXwzCjMnww8utk%3d" rel="noreferrer" target="_blank">https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpastebin.com%2f8TfCAJQ3&data=01%7c01%7cdsprans%40emory.edu%7cac5588eb7ee8415de6bf08d2c2c9bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=6bpl2CgNcGTShjQont1TDbus3VZ0YzXwzCjMnww8utk%3d</a><br>
><br>
> And here's a snipped of the errors in config.log when run configure with and without the LIBS variable defined:<br>
> <a href="https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpastebin.com%2fSFz0GR26&data=01%7c01%7cdsprans%40emory.edu%7cac5588eb7ee8415de6bf08d2c2c9bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=hB4fdb%2fWMZNI0%2fCHkYoYbUx7mA29v%2flI8LmdABlJNn0%3d" rel="noreferrer" target="_blank">https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpastebin.com%2fSFz0GR26&data=01%7c01%7cdsprans%40emory.edu%7cac5588eb7ee8415de6bf08d2c2c9bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=hB4fdb%2fWMZNI0%2fCHkYoYbUx7mA29v%2flI8LmdABlJNn0%3d</a><br>
><br>
> If anyone has seen this previously, can you suggest a workaround? Any help would be appreciated!<br>
<br>
I wonder if this has more to do with how PF_RING was built? I just<br>
used the PF_RING packages for CentOS 7 and build Suricata just fine,<br>
then I built it PF_RING with the latest git checkout and it built just<br>
fine again - I also checked to make sure it was linking against the<br>
pfring enabled libpcap.<br>
<br>
Sorry I don't have a better answer for you at this time.<br>
<br>
________________________________<br>
<br>
This e-mail message (including any attachments) is for the sole use of<br>
the intended recipient(s) and may contain confidential and privileged<br>
information. If the reader of this message is not the intended<br>
recipient, you are hereby notified that any dissemination, distribution<br>
or copying of this message (including any attachments) is strictly<br>
prohibited.<br>
<br>
If you have received this message in error, please contact<br>
the sender by reply e-mail message and destroy all copies of the<br>
original message (including attachments).<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
</blockquote></div>