[Oisf-devel] Segfault on Suricata 1.2dev, PF_RING 5.2.1. and listening on a bonded interface
Martin Holste
mcholste at gmail.com
Fri Jan 13 17:21:46 UTC 2012
As a workaround, you can create a vlan interface using the vconfig
command line utility to create an interface like eth1.22 for VLAN 22.
This will remove the 4 bytes and pass the packets to Suricata in
proper ethernet form. However, you will need to disable bad checksum
tossing.
On Fri, Jan 13, 2012 at 10:48 AM, Victor Julien <victor at inliniac.net> wrote:
> On 01/13/2012 04:51 PM, David.R.Wharton at regions.com wrote:
>> Good question. They are VLAN tagged so they have an extra four bytes.
>
> This is mostly likely the problem here. We assume pfring packets to be
> ethernet. Opened a ticket:
> https://redmine.openinfosecfoundation.org/issues/400
>
> Cheers,
> Victor
>
>> -David
>>
>>
>>
>> From: Victor Julien <victor at inliniac.net>
>> To: oisf-devel at openinfosecfoundation.org
>> Date: 01/13/2012 09:43 AM
>> Subject: Re: [Oisf-devel] Segfault on Suricata 1.2dev, PF_RING
>> 5.2.1. and listening on a bonded interface
>> Sent by: oisf-devel-bounces at openinfosecfoundation.org
>>
>>
>>
>> On 01/13/2012 04:37 PM, David.R.Wharton at regions.com wrote:
>>> DecodeEthernet (tv=0xbfa89c0, dtv=0xda8fe48, p=0x8f27070, pkt=0x1a00ffff
>>> <Address 0x1a00ffff out of bounds>, len=64, pq=0xd533dd0) at
>>> decode-ethernet.c:56
>>> 56 switch (ntohs(p->ethh->eth_type)) {
>>> (gdb) backtrace
>>> #0 DecodeEthernet (tv=0xbfa89c0, dtv=0xda8fe48, p=0x8f27070,
>>> pkt=0x1a00ffff <Address 0x1a00ffff out of bounds>, len=64, pq=0xd533dd0)
>>> at decode-ethernet.c:56
>>> #1 0x0805ded8 in DecodePfring (tv=0xbfa89c0, p=0x8f27070,
>>> data=0xda8fe48, pq=0xd533dd0, postpq=0x0) at source-pfring.c:482
>>
>> If you monitor the link with wireshark/tshark what is the link type? Do
>> the packets come in as straight ethernet packets or are they wrapped in
>> something else?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/ <http://www.inliniac.net/>
>> PGP: http://www.inliniac.net/victorjulien.asc
>> <http://www.inliniac.net/victorjulien.asc>
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> <http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel>
>>
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
More information about the Oisf-devel
mailing list