[Oisf-devel] Segfault on Suricata 1.2dev, PF_RING 5.2.1. and listening on a bonded interface

[Victor Julien]

On 01/13/2012 04:51 PM, David.R.Wharton at regions.com wrote:
> Good question.  They are VLAN tagged so they have an extra four bytes.

This is mostly likely the problem here. We assume pfring packets to be
ethernet. Opened a ticket:
https://redmine.openinfosecfoundation.org/issues/400

Cheers,
Victor

> -David
> 
> 
> 
> From:         Victor Julien <victor at inliniac.net>
> To:         oisf-devel at openinfosecfoundation.org
> Date:         01/13/2012 09:43 AM
> Subject:         Re: [Oisf-devel] Segfault on Suricata 1.2dev, PF_RING
> 5.2.1. and listening on a bonded interface
> Sent by:         oisf-devel-bounces at openinfosecfoundation.org
> 
> 
> 
> On 01/13/2012 04:37 PM, David.R.Wharton at regions.com wrote:
>> DecodeEthernet (tv=0xbfa89c0, dtv=0xda8fe48, p=0x8f27070, pkt=0x1a00ffff
>> <Address 0x1a00ffff out of bounds>, len=64, pq=0xd533dd0) at
>> decode-ethernet.c:56
>> 56            switch (ntohs(p->ethh->eth_type)) {
>> (gdb) backtrace
>> #0  DecodeEthernet (tv=0xbfa89c0, dtv=0xda8fe48, p=0x8f27070,
>> pkt=0x1a00ffff <Address 0x1a00ffff out of bounds>, len=64, pq=0xd533dd0)
>> at decode-ethernet.c:56
>> #1  0x0805ded8 in DecodePfring (tv=0xbfa89c0, p=0x8f27070,
>> data=0xda8fe48, pq=0xd533dd0, postpq=0x0) at source-pfring.c:482
> 
> If you monitor the link with wireshark/tshark what is the link type? Do
> the packets come in as straight ethernet packets or are they wrapped in
> something else?
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/ <http://www.inliniac.net/>
> PGP: http://www.inliniac.net/victorjulien.asc
> <http://www.inliniac.net/victorjulien.asc>
> ---------------------------------------------
> 
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> <http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel>
> 
> 
> 
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------