[Oisf-devel] Segfault on Suricata 1.2dev, PF_RING 5.2.1. and listening on a bonded interface

Fri Jan 13 15:37:19 UTC 2012

I'm testing the latest version of Suricata I pulled from GIT -- 1.2dev 
(rev e526525) -- with PF_RING v.5.2.1  Everything compiles/installs fine 
but when I run Suricata on a bonded interface, I get a segfault

/usr/local/bin/suricata -c /etc/suricata/suricata-open.yaml 
--pfring-int=bond0 --pfring-cluster-id=99 
--pfring-cluster-type=cluster_flow --user=pcap --group=pcap 
--runmode=autofp
.
-- 09:14:46 - (source-pfring.c:375) <Info> (ReceivePfringThreadInit) -- 
(RxPFR1) Using PF_RING v.5.2.1, interface bond0, single-pfring-thread
-- (tm-threads.c:1810) <Info> (TmThreadWaitOnThreadInit) -- all 4 packet 
processing threads, 3 management threads initialized, engine started.
Segmentation fault

If I use something like eth2 instead of bond0, it seems to work fine

-- (source-pfring.c:375) <Info> (ReceivePfringThreadInit) -- (RxPFR1) 
Using PF_RING v.5.2.1, interface eth2, single-pfring-thread
-- (tm-threads.c:1810) <Info> (TmThreadWaitOnThreadInit) -- all 4 packet 
processing threads, 3 management threads initialized, engine started.

The PF_RING  userland/examples/pfcount program works on bond0:

[root at crom examples]# ./pfcount -i bond0
Using PF_RING v.5.2.1
Capturing from bond0 [00:1C:33:A0:D0:F8]
# Device RX channels: 1
# Polling threads:    1
=========================
Absolute Stats: [385 pkts rcvd][0 pkts dropped]
Total Pkts=385/Dropped=0.0 %
385 pkts - 49'764 bytes
=========================

I know there were some issues with Suricata and PF_RING last summer that 
had to do with PF_RING API changes but as I understand it, those were all 
fixed a while ago.

Has anyone run in to this issue or know of a fix?  Has anyone gotten the 
latest versions of Suricata and PF_RING working, listening on a bonded 
interface?

Here is some info from gdb:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb74d9b90 (LWP 22588)]
DecodeEthernet (tv=0xbfa89c0, dtv=0xda8fe48, p=0x8f27070, pkt=0x1a00ffff 
<Address 0x1a00ffff out of bounds>, len=64, pq=0xd533dd0) at 
decode-ethernet.c:56
56          switch (ntohs(p->ethh->eth_type)) {
(gdb) backtrace
#0  DecodeEthernet (tv=0xbfa89c0, dtv=0xda8fe48, p=0x8f27070, 
pkt=0x1a00ffff <Address 0x1a00ffff out of bounds>, len=64, pq=0xd533dd0) 
at decode-ethernet.c:56
#1  0x0805ded8 in DecodePfring (tv=0xbfa89c0, p=0x8f27070, data=0xda8fe48, 
pq=0xd533dd0, postpq=0x0) at source-pfring.c:482
#2  0x08149b46 in TmThreadsSlotVarRun (tv=0xbfa89c0, p=0x8f27070, 
slot=0xd533db0) at tm-threads.c:458
#3  0x0805f4a3 in TmThreadsSlotProcessPkt (tv=0xbfa89c0, data=0xd5ffa88, 
slot=0xd533cb8) at tm-threads.h:130
#4  ReceivePfringLoop (tv=0xbfa89c0, data=0xd5ffa88, slot=0xd533cb8) at 
source-pfring.c:279
#5  0x0814a968 in TmThreadsSlotPktAcqLoop (td=0xbfa89c0) at 
tm-threads.c:572
#6  0x0014c832 in start_thread () from /lib/libpthread.so.0
#7  0x005f546e in clone () from /lib/libc.so.6

Thanks.

-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120113/c8a89264/attachment-0002.html>