[Oisf-devel] Latest 2.0dev (rev 68ba9df) + PF_RING (+DNA+libzero) = no HTTP logs

Chris Wakelin c.d.wakelin at reading.ac.uk
Tue Sep 24 14:30:26 UTC 2013 

Hi,

I may be doing something wrong, but I've just tried this morning's git
master (rev 68ba9df - i.e. just before the SSL updates - compiled with
my current PF_RING, version 5.6.0) on the student network and it seems
to failing to log any HTTP (or HTTP alerts). There were some UDP alerts
though.

The previous version, from 22nd July - 2.0dev (rev 055b422) is fine
(though sometimes misses fields in the filestore .meta files).

At first, I wasn't convinced about the fix for DNA ignoring
PF_RING_LONG_HEADER, namely that this flag is only needed when checksums
are enabled (which they aren't in my case), so I tried my own fix of
calling pfring_parse_pkt in the PfringProcessPacket function (which I've
been doing since July, together with the extra PF_RING_DNA_SYMMETRIC_RSS
flag which may help for ordinary DNA rather than DNA + libzero) :-

--- src/source-pfring.c.orig    2013-09-12 18:49:30.940770018 +0100
+++ src/source-pfring.c 2013-09-24 15:17:47.334061588 +0100
@@ -209,6 +209,14 @@

     PfringThreadVars *ptv = (PfringThreadVars *)user;

+    /* DNA interfaces ignore the PF_RING_LONG_HEADER flag
+     * so force parsing of the packet here
+     * up to level 4 and add timestamp */
+    if (strncmp(ptv->interface, "dna", 3) == 0) {
+        memset((void*)&h->extended_hdr.parsed_pkt, 0, sizeof(struct
pkt_parsing_info));
+        pfring_parse_pkt((char *)GET_PKT_DIRECT_DATA(p), h, 4, 1, 0);
+    }
+
     ptv->bytes += h->caplen;
     ptv->pkts++;
     (void) SC_ATOMIC_ADD(ptv->livedev->pkts, 1);
@@ -388,6 +396,11 @@

     opflag = PF_RING_REENTRANT | PF_RING_PROMISC;

+    if (strncmp(ptv->interface, "dna", 3) == 0) {
+        opflag |= PF_RING_DNA_SYMMETRIC_RSS;
+    }
+
+
     if (ptv->checksum_mode == CHECKSUM_VALIDATION_RXONLY) {
         if (strncmp(ptv->interface, "dna", 3) == 0) {
             SCLogWarning(SC_ERR_INVALID_VALUE,

However, this made no difference.

I did update libhtp to latest git as well (so version 0.5.7+) but I
think there have been minimal changes.

Running Suricata against a pcap is fine, so it does seem to be a PF_RING
issue.

Any ideas?

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list