[Oisf-devel] Suricata, PF_RING, and subinterfaces

David.R.Wharton at regions.com David.R.Wharton at regions.com
Thu Jul 21 21:48:24 UTC 2011 

I am trying to get Suricata up and running with PF_RING and it is crashing 
on the PF_RING part.  In ifconfig, my interfaces/sub interfaces are:

bond0
bond0.1035
bond0.1036
.
.
.
bond0.142
eth0
eth2
eth3
lo

Suricata was compiled with PF_RING support and PF_RING was installed and 
everything seems to be fine until I try to run Suricata with PF_RING on 
bond0:

/usr/local/bin/suricata -c /etc/suricata/suricata-open.yaml 
--pfring-int=bond0 --pfring-cluster-id=99 
--pfring-cluster-type=cluster_flow

I get these errors at the end:

[20106] 21/7/2011 -- 16:26:51 - (source-pfring.c:282) <Error> 
(ReceivePfringThreadInit) -- [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - opening 
bond0 failed: pfring_open error
[20071] 21/7/2011 -- 16:26:51 - (stream-tcp.c:367) <Info> 
(StreamTcpInitConfig) -- stream "memcap": 33554432
[20071] 21/7/2011 -- 16:26:55 - (stream-tcp.c:374) <Info> 
(StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:382) <Info> 
(StreamTcpInitConfig) -- stream "async_oneside": disabled
[20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:398) <Info> 
(StreamTcpInitConfig) -- stream "checksum_validation": enabled
[20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:409) <Info> 
(StreamTcpInitConfig) -- stream."inline": disabled
[20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:418) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:428) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:451) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
[20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:453) <Info> 
(StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
[20071] 21/7/2011 -- 16:26:58 - (tm-threads.c:1472) <Error> 
(TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread 
"ReceivePfring" closed on initialization.
[20071] 21/7/2011 -- 16:26:58 - (suricata.c:1344) <Error> (main) -- 
[ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, 
aborting...

But if I run the same command but using a different interface like eth2, 
it does not crash.  I can even run the PF_RING example program on bond0 
and it works:

# ./pfcount -bond0
Using PF_RING v.4.7.1
Capturing from eth0 [00:C0:9F:3F:61:1A]
# Device RX channels: 1
# Polling threads:    1
=========================
Absolute Stats: [3 pkts rcvd][0 pkts dropped]
Total Pkts=3/Dropped=0.0 %
3 pkts - 225 bytes
=========================

=========================
Absolute Stats: [8 pkts rcvd][0 pkts dropped]
Total Pkts=8/Dropped=0.0 %
8 pkts - 674 bytes [7.98 pkt/sec - 0.01 Mbit/sec]
=========================
Actual Stats: 5 pkts [1'001.94 ms][4.99 pkt/sec]
=========================

I also see PF_RING create the rings when I have something capturing using 
it:

# cat /proc/net/pf_ring/info
PF_RING Version     : 4.7.1 ($Revision: 4733$)
Ring slots          : 4096
Slot version        : 13
Capture TX          : Yes [RX+TX]
IP Defragment       : No
Socket Mode         : Standard
Transparent mode    : Yes (mode 0)
Total rings         : 2
Total plugins       : 0

I pulled the latest PF_RING source from SVN today (v4.7.1) and the latest 
Suricata beta source (v1.1b2) from the OISF site.  Sorry for the long 
email but I though I would ask the experts.

Thanks for any responses.

-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110721/8fdc379b/attachment-0002.html>

More information about the Oisf-devel mailing list