[Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1

Will Metcalf william.metcalf at gmail.com
Thu Aug 4 15:43:00 UTC 2011


Heh... It looks like there might be off-by-one error based on the
allocated buffer and the macro GET_PKT_DIRECT_MAX_SIZE() which is used
to determine how much data to copy from PF_RING.  If I'm reading the
code correctly it looks like on a fully loaded frame cuts off the last
byte in a payload.  Until we can come up wit a patch/further validate
try setting your default-packet-size: setting in your suricata.yaml to
one more byte than the maximum on-wire size of a frame.  So for
example MTU + ethernet header = 1514 bytes set to 1515 bytes or if you
want to account for  FCS transmitted on wire set it to MTU + ethernet
header + FCS = 1518 set to 1519 bytes.

Additionally since there is no guarantee that FCS won't be included in
a frame Suricata should account for this, by making the default
snaplen 1518 bytes imho. Thoughts?

http://wiki.wireshark.org/Ethernet

Regards,

Will


On Thu, Aug 4, 2011 at 10:06 AM,  <David.R.Wharton at regions.com> wrote:
> Thanks Will.  I installed Suricata version 1.1beta2 (rev b3f7e6a) from git
> and now I don't get the PF_RING errors.  Now I get tons of App Layer parser
> errors, similar to the following, mostly on SSL/TLS connections but I also
> see it on http and smtp 'app layer protocol':
>
> [4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "tls" app layer protocol, using network protocol 6, source IP address
> 66.255.199.50, destination IP address <removed>, src port 34481 and dst port
> 443
> [4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "tls" app layer protocol, using network protocol 6, source IP address
> 153.69.201.240, destination IP address <removed>, src port 7132 and dst port
> 443
> [4640] 4/8/2011 -- 09:56:38 - (app-layer-parser.c:955) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> <removed>, destination IP address 68.147.232.208, src port 53771 and dst
> port 80
>
> Thanks.
>
> -David
>
>
>
> From:        Will Metcalf <william.metcalf at gmail.com>
> To:        David.R.Wharton at regions.com
> Cc:        oisf-devel at openinfosecfoundation.org
> Date:        08/03/2011 04:35 PM
> Subject:        Re: [Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE:
> SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
> ________________________________
>
>
> You need to upgrade to the latest suricata version from git. Packets
> are now passed as a reference in PF_RING 4.7.1, which required us to
> modify suri.
>
> Regards,
>
> Will
> On Wed, Aug 3, 2011 at 4:30 PM,  <David.R.Wharton at regions.com> wrote:
>> I'm trying to get Suricata up and running with PF_RING but I keep getting
>> a
>> pfring_recv error.  Here is a snipped from when Suricata starts up:
>>
>> [13373] 3/8/2011 -- 16:25:22 - (source-pfring.c:313) <Info>
>> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
>> interface eth2, cluster-id 99
>> [13354] 3/8/2011 -- 16:25:23 - (tm-threads.c:1485) <Info>
>> (TmThreadWaitOnThreadInit) -- all 11 packet processing threads, 3
>> management
>> threads initialized, engine started.
>> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:232) <Error>
>> (ReceivePfring)
>> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
>> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:332) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> [13373] 3/8/2011 -- 16:25:23 - (source-pfring.c:336) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
>> Drop:0 (nan%).
>> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
>> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
>> interface eth2, cluster-id 99
>> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
>> (ReceivePfring)
>> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
>> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> [13387] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
>> Drop:0 (nan%).
>> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
>> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
>> interface eth2, cluster-id 99
>> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
>> (ReceivePfring)
>> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
>> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> [13388] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
>> Drop:0 (nan%).
>> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
>> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
>> interface eth2, cluster-id 99
>> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
>> (ReceivePfring)
>> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
>> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> [13389] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
>> Drop:0 (nan%).
>> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
>> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
>> interface eth2, cluster-id 99
>> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
>> (ReceivePfring)
>> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
>> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> [13390] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
>> Drop:0 (nan%).
>> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
>> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
>> interface eth2, cluster-id 99
>> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
>> (ReceivePfring)
>> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
>> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> [13391] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
>> Drop:0 (nan%).
>> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:313) <Info>
>> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
>> interface eth2, cluster-id 99
>> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:232) <Error>
>> (ReceivePfring)
>> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
>> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:332) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> [13392] 3/8/2011 -- 16:25:24 - (source-pfring.c:336) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
>> Drop:0 (nan%).
>> [13354] 3/8/2011 -- 16:25:24 - (tm-threads.c:1400) <Info>
>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:313) <Info>
>> (ReceivePfringThreadInit) -- (ReceivePfring) Using PF_RING v.4.7.1,
>> interface eth2, cluster-id 99
>> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:232) <Error>
>> (ReceivePfring)
>> -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error  -1
>> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:332) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
>> [13393] 3/8/2011 -- 16:25:25 - (source-pfring.c:336) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0 Recv:0
>> Drop:0 (nan%).
>> [13354] 3/8/2011 -- 16:25:25 - (tm-threads.c:1400) <Info>
>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
>> [13395] 3/8/2011 -- 16:25:25 - (source-pfring.c:307) <Error>
>> (ReceivePfringThreadInit) -- [ERRCODE:
>> SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned -1
>> for
>> cluster-id: 99
>> [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1363) <Info> (main) -- signal
>> received
>> [13354] 3/8/2011 -- 16:25:25 - (suricata.c:1414) <Info> (main) -- time
>> elapsed 3s
>> [13384] 3/8/2011 -- 16:25:25 - (flow.c:1142) <Info> (FlowManagerThread) --
>> 0
>> new flows, 0 established flows were timed out, 0 flows in closed state
>> [13354] 3/8/2011 -- 16:25:25 - (stream-tcp-reassemble.c:352) <Info>
>> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly engine
>> 11220864 (in use 0)
>> [13354] 3/8/2011 -- 16:25:25 - (stream-tcp.c:495) <Info>
>> (StreamTcpFreeConfig) -- Max memuse of stream engine 4063232 (in use 0)
>> [13354] 3/8/2011 -- 16:25:26 - (detect.c:3403) <Info>
>> (SigAddressCleanupStage1) -- cleaning up signature grouping structure...
>> complete
>>
>> I am running PF_RING 4.7.1 ($Revision: 4753$) and Suricata version
>> 1.1beta2.
>>
>> PF_RING seems to be installed OK and I can run the pfcount program just
>> fine:
>>
>> # cat /proc/net/pf_ring/info
>> PF_RING Version     : 4.7.1 ($Revision: 4753$)
>> Ring slots          : 4096
>> Slot version        : 13
>> Capture TX          : Yes [RX+TX]
>> IP Defragment       : No
>> Socket Mode         : Standard
>> Transparent mode    : Yes (mode 0)
>> Total rings         : 0
>> Total plugins       : 0
>>
>>
>> # ./pfcount -i eth2
>> Using PF_RING v.4.7.1
>> Capturing from eth2 [00:1B:78:31:F1:A4]
>> # Device RX channels: 1
>> # Polling threads:    1
>> =========================
>> Absolute Stats: [49859 pkts rcvd][0 pkts dropped]
>> Total Pkts=49859/Dropped=0.0 %
>> 49'859 pkts - 28'713'541 bytes
>> =========================
>>
>> =========================
>> Absolute Stats: [102158 pkts rcvd][0 pkts dropped]
>> Total Pkts=102158/Dropped=0.0 %
>> 102'158 pkts - 59'531'866 bytes [101'959.38 pkt/sec - 475.33 Mbit/sec]
>> =========================
>> Actual Stats: 52299 pkts [1'001.94 ms][52'197.37 pkt/sec]
>> =========================
>>
>>
>> Any ideas?
>>
>> Thanks.
>>
>> -David
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>
>



More information about the Oisf-devel mailing list