[Discussion] Suricata with PF_RING 4.7

Sun Sep 18 13:07:44 UTC 2011

1.1beta2 does not fix this, as I stated previously you need to use the
version in git.

Regards,

Will
On Sun, Sep 18, 2011 at 5:50 AM, Mohsen Saeedi <mohsen.saeedi at gmail.com> wrote:
> Hi
> I compiled suricata 1.1beta2 with PF_RING 4.7.1 and i got these error:
> [12971] 18/9/2011 -- 15:17:54 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth0, cluster-id 99
> [12966] 18/9/2011 -- 15:17:55 - (tm-threads.c:1485) <Info>
> (TmThreadWaitOnThreadInit) -- all 8 packet processing threads, 3 management
> threads initialized, engine started.
> [12971] 18/9/2011 -- 15:17:55 - (source-pfring.c:232) <Error>
> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error
> -1
> [12971] 18/9/2011 -- 15:17:55 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [12971] 18/9/2011 -- 15:17:55 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (-nan%).
> [12966] 18/9/2011 -- 15:17:55 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [12982] 18/9/2011 -- 15:17:55 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth0, cluster-id 99
> [12982] 18/9/2011 -- 15:17:55 - (source-pfring.c:232) <Error>
> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error
> -1
> [12982] 18/9/2011 -- 15:17:55 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [12982] 18/9/2011 -- 15:17:55 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (-nan%).
> [12966] 18/9/2011 -- 15:17:55 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [12983] 18/9/2011 -- 15:17:55 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth0, cluster-id 99
> [12983] 18/9/2011 -- 15:17:55 - (source-pfring.c:232) <Error>
> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error
> -1
> [12983] 18/9/2011 -- 15:17:55 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [12983] 18/9/2011 -- 15:17:55 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (-nan%).
> [12966] 18/9/2011 -- 15:17:55 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [12984] 18/9/2011 -- 15:17:55 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth0, cluster-id 99
> [12984] 18/9/2011 -- 15:17:55 - (source-pfring.c:232) <Error>
> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error
> -1
> [12984] 18/9/2011 -- 15:17:55 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [12984] 18/9/2011 -- 15:17:55 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (-nan%).
> [12966] 18/9/2011 -- 15:17:55 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [12985] 18/9/2011 -- 15:17:55 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth0, cluster-id 99
> [12985] 18/9/2011 -- 15:17:55 - (source-pfring.c:232) <Error>
> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error
> -1
> [12985] 18/9/2011 -- 15:17:55 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [12985] 18/9/2011 -- 15:17:55 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (-nan%).
> [12966] 18/9/2011 -- 15:17:55 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [12986] 18/9/2011 -- 15:17:55 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth0, cluster-id 99
> [12986] 18/9/2011 -- 15:17:55 - (source-pfring.c:232) <Error>
> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error
> -1
> [12986] 18/9/2011 -- 15:17:55 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [12986] 18/9/2011 -- 15:17:55 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (-nan%).
> [12966] 18/9/2011 -- 15:17:55 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [12987] 18/9/2011 -- 15:17:55 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth0, cluster-id 99
> [12987] 18/9/2011 -- 15:17:55 - (source-pfring.c:232) <Error>
> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error
> -1
> [12987] 18/9/2011 -- 15:17:55 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [12987] 18/9/2011 -- 15:17:55 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (-nan%).
> [12966] 18/9/2011 -- 15:17:55 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [12988] 18/9/2011 -- 15:17:55 - (source-pfring.c:313) <Info>
> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
> interface eth0, cluster-id 99
> [12988] 18/9/2011 -- 15:17:55 - (source-pfring.c:232) <Error>
> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error
> -1
> [12988] 18/9/2011 -- 15:17:55 - (source-pfring.c:332) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> [12988] 18/9/2011 -- 15:17:55 - (source-pfring.c:336) <Info>
> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
> Drop:0 (-nan%).
> [12966] 18/9/2011 -- 15:17:55 - (tm-threads.c:1400) <Info>
> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> [12989] 18/9/2011 -- 15:17:55 - (source-pfring.c:307) <Error>
> (ReceivePfringThreadInit) -- [ERRCODE:
> SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned -1 for
> cluster-id: 99
> [12966] 18/9/2011 -- 15:17:55 - (suricata.c:1363) <Info> (main) -- signal
> received
> [12966] 18/9/2011 -- 15:17:55 - (suricata.c:1414) <Info> (main) -- time
> elapsed 1s
> [12979] 18/9/2011 -- 15:17:55 - (flow.c:1142) <Info> (FlowManagerThread) --
> 0 new flows, 0 established flows were timed out, 0 flows in closed state
> [12966] 18/9/2011 -- 15:17:55 - (stream-tcp-reassemble.c:352) <Info>
> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly engine
> 11292544 (in use 0)
> [12966] 18/9/2011 -- 15:17:55 - (stream-tcp.c:495) <Info>
> (StreamTcpFreeConfig) -- Max memuse of stream engine 5505024 (in use 0)
> [12966] 18/9/2011 -- 15:17:55 - (detect.c:3403) <Info>
> (SigAddressCleanupStage1) -- cleaning up signature grouping structure...
> complete
>
> What is wrong?
> Thanks
>
> On Sun, Sep 18, 2011 at 5:16 AM, William Metcalf <william.metcalf at gmail.com>
> wrote:
>>
>> 4.6 should work please let us know if it doesn't
>>
>> Regards,
>>
>> Will
>>
>>
>> On Sep 17, 2011, at 7:08 PM, Mohsen Saeedi <mohsen.saeedi at gmail.com>
>> wrote:
>>
>> > I used PF_RING 4.7.0 and i got the same error too. now i'm going to
>> > test it with 4.6.x
>> > any idea?
>> >
>> > On Sat, Sep 17, 2011 at 11:18 PM, Will Metcalf
>> > <william.metcalf at gmail.com> wrote:
>> >>
>> >> PF_RING 4.7 added the requirement to call pfring_enable_ring(), which
>> >> was not previously required nor in the 1.0.4 code base.  So you have
>> >> two options, either use an older version of PF_RING a newer version of
>> >> suricata.  You can get the latest version of the code by issuing the
>> >> following command.
>> >>
>> >> git clone git://phalanx.openinfosecfoundation.org/oisf.git
>> >>
>> >> Regards,
>> >>
>> >> Will
>> >>
>> >> On Sat, Sep 17, 2011 at 11:50 AM, Mohsen Saeedi
>> >> <mohsen.saeedi at gmail.com> wrote:
>> >>> Hi
>> >>> I make suricata 1.0.4 rpm and pfring 4.7 rpm and installed them with
>> >>> new pcap lib on the centos 6.0.but when i started suricata with below
>> >>> command it report some error about pfring receive! please help me.
>> >>> suricata -c /etc/suricata/suricata.yaml --pfring-int=eth1
>> >>>
>> >>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
>> >>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
>> >>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
>> >>> (ReceivePfringThreadInit) -- going to use interface eth1
>> >>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
>> >>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
>> >>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
>> >>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
>> >>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
>> >>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
>> >>> error  -1
>> >>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> >>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
>> >>> Recv:0 Drop:0 (-nan%).
>> >>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
>> >>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
>> >>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
>> >>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> >>>
>> >>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
>> >>> (ReceivePfringThreadInit) -- going to use interface eth1
>> >>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
>> >>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
>> >>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
>> >>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
>> >>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
>> >>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
>> >>> error  -1
>> >>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> >>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
>> >>> Recv:0 Drop:0 (-nan%).
>> >>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
>> >>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> >>>
>> >>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
>> >>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
>> >>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
>> >>> (ReceivePfringThreadInit) -- going to use interface eth1
>> >>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
>> >>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
>> >>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
>> >>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
>> >>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
>> >>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
>> >>> error  -1
>> >>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> >>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
>> >>> Recv:0 Drop:0 (-nan%).
>> >>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
>> >>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> >>>
>> >>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
>> >>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
>> >>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
>> >>> (ReceivePfringThreadInit) -- going to use interface eth1
>> >>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
>> >>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
>> >>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
>> >>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
>> >>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
>> >>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
>> >>> error  -1
>> >>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> >>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
>> >>> Recv:0 Drop:0 (-nan%).
>> >>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
>> >>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> >>>
>> >>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
>> >>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
>> >>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
>> >>> (ReceivePfringThreadInit) -- going to use interface eth1
>> >>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
>> >>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
>> >>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
>> >>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
>> >>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
>> >>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
>> >>> error  -1
>> >>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> >>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
>> >>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
>> >>> Recv:0 Drop:0 (-nan%).
>> >>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
>> >>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> >>>
>> >>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
>> >>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
>> >>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
>> >>> (ReceivePfringThreadInit) -- going to use interface eth1
>> >>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
>> >>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
>> >>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
>> >>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
>> >>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:289) <Error>
>> >>> (ReceivePfringThreadInit) -- [ERRCODE:
>> >>> SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned
>> >>> -1 for cluster-id: 99
>> >>> [11829] 17/9/2011 -- 21:17:48 - (suricata.c:1165) <Info> (main) --
>> >>> signal received
>> >>> [11829] 17/9/2011 -- 21:17:48 - (suricata.c:1195) <Info> (main) --
>> >>> time elapsed 0s
>> >>> [11841] 17/9/2011 -- 21:17:48 - (flow.c:1107) <Info>
>> >>> (FlowManagerThread) -- 0 new flows, 0 established flows were timed
>> >>> out, 0 flows in closed state
>> >>> [11829] 17/9/2011 -- 21:17:48 - (stream-tcp-reassemble.c:291) <Info>
>> >>> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly
>> >>> engine 11292544 (in use 0)
>> >>> [11829] 17/9/2011 -- 21:17:49 - (stream-tcp.c:487) <Info>
>> >>> (StreamTcpFreeConfig) -- Max memuse of stream engine 5505024 (in use
>> >>> 0)
>> >>> [11829] 17/9/2011 -- 21:17:49 - (detect.c:2820) <Info>
>> >>> (SigAddressCleanupStage1) -- cleaning up signature grouping
>> >>> structure...
>> >>> [11829] 17/9/2011 -- 21:17:49 - (detect.c:2835) <Info>
>> >>> (SigAddressCleanupStage1) -- cleaning up signature grouping
>> >>> structure... done
>> >>>
>> >>> --
>> >>> Seyyed Mohsen Saeedi
>> >>> سید محسن سعیدی
>> >>> _______________________________________________
>> >>> Discussion mailing list
>> >>> Discussion at openinfosecfoundation.org
>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>> >>>
>> >
>> >
>> >
>> > --
>> > Seyyed Mohsen Saeedi
>> > سید محسن سعیدی
>
>
>
> --
> Seyyed Mohsen Saeedi
> سید محسن سعیدی
>
>