[Oisf-devel] Suricata, PF_RING, and subinterfaces

Will Metcalf william.metcalf at gmail.com
Thu Jul 21 22:09:24 UTC 2011 

Luca recently changed the API packets are now passed as reference.
Victor has a patch in his inbox for suricata to work with the latest
PF_RING.  Additionally currently we always assign a cluster-id even if
we only have a single cluster member, this seems to be broken in
PF_RING using multiple interfaces i.e. eth0 and eth1 can't both be
members of cluster 99, so I'm not sure what this means for your bonded
interface but perhaps we should do some check like if the receive
threads < 2 and cluster-id isn't specified don't assign one, if
receive threads > 1 and no cluster-id is assigned bail...  We are also
working on support for multiple interfaces for PF_RING but clustering
complicates things so --pfring-int eth0 --pfring-int eth1, similar to
pcap.

Regards,

Will

On Thu, Jul 21, 2011 at 4:48 PM,  <David.R.Wharton at regions.com> wrote:
> I am trying to get Suricata up and running with PF_RING and it is crashing
> on the PF_RING part.  In ifconfig, my interfaces/sub interfaces are:
>
> bond0
> bond0.1035
> bond0.1036
> .
> .
> .
> bond0.142
> eth0
> eth2
> eth3
> lo
>
> Suricata was compiled with PF_RING support and PF_RING was installed and
> everything seems to be fine until I try to run Suricata with PF_RING on
> bond0:
>
> /usr/local/bin/suricata -c /etc/suricata/suricata-open.yaml
> --pfring-int=bond0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow
>
> I get these errors at the end:
>
> [20106] 21/7/2011 -- 16:26:51 - (source-pfring.c:282) <Error>
> (ReceivePfringThreadInit) -- [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - opening
> bond0 failed: pfring_open error
> [20071] 21/7/2011 -- 16:26:51 - (stream-tcp.c:367) <Info>
> (StreamTcpInitConfig) -- stream "memcap": 33554432
> [20071] 21/7/2011 -- 16:26:55 - (stream-tcp.c:374) <Info>
> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
> [20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:382) <Info>
> (StreamTcpInitConfig) -- stream "async_oneside": disabled
> [20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:398) <Info>
> (StreamTcpInitConfig) -- stream "checksum_validation": enabled
> [20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:409) <Info>
> (StreamTcpInitConfig) -- stream."inline": disabled
> [20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:418) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
> [20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:428) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
> [20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:451) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
> [20071] 21/7/2011 -- 16:26:58 - (stream-tcp.c:453) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
> [20071] 21/7/2011 -- 16:26:58 - (tm-threads.c:1472) <Error>
> (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread
> "ReceivePfring" closed on initialization.
> [20071] 21/7/2011 -- 16:26:58 - (suricata.c:1344) <Error> (main) --
> [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed,
> aborting...
>
> But if I run the same command but using a different interface like eth2, it
> does not crash.  I can even run the PF_RING example program on bond0 and it
> works:
>
> # ./pfcount -bond0
> Using PF_RING v.4.7.1
> Capturing from eth0 [00:C0:9F:3F:61:1A]
> # Device RX channels: 1
> # Polling threads:    1
> =========================
> Absolute Stats: [3 pkts rcvd][0 pkts dropped]
> Total Pkts=3/Dropped=0.0 %
> 3 pkts - 225 bytes
> =========================
>
> =========================
> Absolute Stats: [8 pkts rcvd][0 pkts dropped]
> Total Pkts=8/Dropped=0.0 %
> 8 pkts - 674 bytes [7.98 pkt/sec - 0.01 Mbit/sec]
> =========================
> Actual Stats: 5 pkts [1'001.94 ms][4.99 pkt/sec]
> =========================
>
> I also see PF_RING create the rings when I have something capturing using
> it:
>
> # cat /proc/net/pf_ring/info
> PF_RING Version     : 4.7.1 ($Revision: 4733$)
> Ring slots          : 4096
> Slot version        : 13
> Capture TX          : Yes [RX+TX]
> IP Defragment       : No
> Socket Mode         : Standard
> Transparent mode    : Yes (mode 0)
> Total rings         : 2
> Total plugins       : 0
>
> I pulled the latest PF_RING source from SVN today (v4.7.1) and the latest
> Suricata beta source (v1.1b2) from the OISF site.  Sorry for the long email
> but I though I would ask the experts.
>
> Thanks for any responses.
>
> -David
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>

More information about the Oisf-devel mailing list