[Oisf-users] Problem when running suricata with PF_RING
Sylvain Chillaud
sylvain.chillaud at gmail.com
Tue Nov 16 09:20:57 UTC 2010
bump
I've been trying with the latest rev of PF_RING but I still get the same
error.
Did you give it a try, Will ?
2010/10/5 Will Metcalf <william.metcalf at gmail.com>
> Thats what it sounds like to me as well. Whenever I get 20 minutes or
> so I can try to build on my end from the latest PF_RING version.
>
> Regards,
>
> Will
>
> On Tue, Oct 5, 2010 at 8:04 AM, Victor Julien <victor at inliniac.net> wrote:
> > Sylvain Chillaud wrote:
> >> Hello,
> >>
> >> I've been trying to install suricata with pf_ring, following the
> >> instructions in INSTALL.PF_RING in the doc directory of the
> >> suricata-1.0.2 tarball (and the giude on the oisf website).
> >> I've managed to configure and compile it, but when running it I get the
> >> following errors :
> >>
> >>
> >> /[16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:248) <Info>
> >> (ReceivePfringThreadInit) -- Going to use cluster-id 99
> >> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:255) <Info>
> >> (ReceivePfringThreadInit) -- going to use interface eth2
> >> Wrong RING version: kernel is 12, libpfring was compiled with 9
> >> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:260) <Error>
> >> (ReceivePfringThreadInit) -- [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
> >> pfring_open error
> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:370) <Info>
> >> (StreamTcpInitConfig) -- stream "max_sessions": 262144
> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:382) <Info>
> >> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:392) <Info>
> >> (StreamTcpInitConfig) -- stream "memcap": 33554432
> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:399) <Info>
> >> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:407) <Info>
> >> (StreamTcpInitConfig) -- stream "async_oneside": disabled
> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:416) <Info>
> >> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:436) <Info>
> >> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
> >> [16781] 5/10/2010 -- 12:11:47 - (tm-threads.c:1416) <Error>
> >> (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread
> >> "ReceivePfring" closed on initialization.
> >> [16781] 5/10/2010 -- 12:11:47 - (suricata.c:1128) <Error> (main) --
> >> [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed,
> >> aborting.../
> >>
> >>
> >>
> >> The server is not a clean server (as in : just installed), there are
> >> other applications on it, including a snort.
> >> It is a debian 5 lenny, kernel 2.6.26-2-amd64.
> >>
> >> I used aptitude to upgrade/install the packages needed, got some errors
> >> with libpcap-dev and libpcap0.8-dev (as if the files were corrupted, it
> >> couldn't open them), but these are said to be required for the install
> >> without pf_ring as well, and suricata without pf_ring options started
> >> all right anyway, so I guessed it was ok.
> >>
> >> But when installing and using pfring options (/suricata --pfring-int
> >> eth1 --pfring-cluster-id=99 --pfring-cluster-type cluster_flow -c
> >> /etc/suricata/suricata.yaml/), I get these error messages.
> >> PF_RING is the last version I could get at
> >> /https://svn.ntop.org/svn/ntop/trunk/PF_RING// though I got it via a
> >> windows svn and not via the server(I don't think it changes anything,
> >> though).
> >>
> >> I've searched but have not found any reference to the errcode or any of
> >> the other error messages, thus I'd like to ask if someone have an idea
> >> of the problem.
> >
> > This error "Wrong RING version: kernel is 12, libpfring was compiled
> > with 9" sounds pretty serious to me. Mismatch between kernel pfring
> > version and the userland lib?
> >
> > Cheers,
> > Victor
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20101116/a4d3327e/attachment-0002.html>
More information about the Oisf-users
mailing list