[Oisf-users] Problem when running suricata with PF_RING

Sylvain Chillaud sylvain.chillaud at gmail.com
Wed Nov 17 16:14:01 UTC 2010 

Ok, so I made a bit of cleaning and began from semi-scratch (did not
uninstall the first packages needed for suricata itself), going very
carefuly.

Righ now the problem is still here. I'll try different things and keep you
posted.



However, through this install process, I've noticed glitches in the
INSTALL.PF_RING that you might want to know of and correct.

At the part where we have to go to PF_RING/userland/tcpdump-4.0.0/
Instructions says to do :

*sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/'
Makefile
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/'
Makefile.in
sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/'
Makefile
sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/'
Makefile.in
sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//'
Makefile
sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//'
Makefile.in*

First thing, I noticed that there is no Makefile, just Makefile.in. Don't
know if it's important, though.
Second thing I noticed, in these sed commands, there seems to be some "\"
and "/" that should not be there in the lasts ones. The result is that the
parameter is not changed in the file. Correcting *sed -i -e 's/-L
\.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//' Makefile.in
*to*
**sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring/-L \/opt\/PF_RING\/lib/'
Makefile.in*    made the trick for me.



If there is anything I can provide to help find where this error comes from,
let me know.

Regards,

Sylvain


2010/11/16 Will Metcalf <william.metcalf at gmail.com>

> Hmm, Yes I did indeed try.  There was a bug in PF_RING that I reported
> to Luca and was fixed and now it works properly.  Are you still
> getting the same error message?  Perhaps you should use dkms to remove
> any versions of PF_RING modules you have installed.  Once you have
> done this nuke the /opt/PF_RING/ dir and restart the install procedure
> from scratch.
>
> Regards,
>
> Will
>
> On Tue, Nov 16, 2010 at 3:20 AM, Sylvain Chillaud
> <sylvain.chillaud at gmail.com> wrote:
> > bump
> >
> > I've been trying with the latest rev of PF_RING but I still get the same
> > error.
> >
> > Did you give it a try, Will ?
> >
> > 2010/10/5 Will Metcalf <william.metcalf at gmail.com>
> >>
> >> Thats what it sounds like to me as well. Whenever I get 20 minutes or
> >> so I can try to build on my end from the latest PF_RING version.
> >>
> >> Regards,
> >>
> >> Will
> >>
> >> On Tue, Oct 5, 2010 at 8:04 AM, Victor Julien <victor at inliniac.net>
> wrote:
> >> > Sylvain Chillaud wrote:
> >> >> Hello,
> >> >>
> >> >> I've been trying to install suricata with pf_ring, following the
> >> >> instructions in INSTALL.PF_RING in the doc directory of the
> >> >> suricata-1.0.2 tarball (and the giude on the oisf website).
> >> >> I've managed to configure and compile it, but when running it I get
> the
> >> >> following errors :
> >> >>
> >> >>
> >> >> /[16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:248) <Info>
> >> >> (ReceivePfringThreadInit) -- Going to use cluster-id 99
> >> >> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:255) <Info>
> >> >> (ReceivePfringThreadInit) -- going to use interface eth2
> >> >> Wrong RING version: kernel is 12, libpfring was compiled with 9
> >> >> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:260) <Error>
> >> >> (ReceivePfringThreadInit) -- [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
> >> >> pfring_open error
> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:370) <Info>
> >> >> (StreamTcpInitConfig) -- stream "max_sessions": 262144
> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:382) <Info>
> >> >> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:392) <Info>
> >> >> (StreamTcpInitConfig) -- stream "memcap": 33554432
> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:399) <Info>
> >> >> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:407) <Info>
> >> >> (StreamTcpInitConfig) -- stream "async_oneside": disabled
> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:416) <Info>
> >> >> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:436) <Info>
> >> >> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
> >> >> [16781] 5/10/2010 -- 12:11:47 - (tm-threads.c:1416) <Error>
> >> >> (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] -
> >> >> thread
> >> >> "ReceivePfring" closed on initialization.
> >> >> [16781] 5/10/2010 -- 12:11:47 - (suricata.c:1128) <Error> (main) --
> >> >> [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed,
> >> >> aborting.../
> >> >>
> >> >>
> >> >>
> >> >> The server is not a clean server (as in : just installed), there are
> >> >> other applications on it, including a snort.
> >> >> It is a debian 5 lenny, kernel 2.6.26-2-amd64.
> >> >>
> >> >> I used aptitude to upgrade/install the packages needed, got some
> errors
> >> >> with libpcap-dev and libpcap0.8-dev (as if the files were corrupted,
> it
> >> >> couldn't open them), but these are said to be required for the
> install
> >> >> without pf_ring as well, and suricata without pf_ring options started
> >> >> all right anyway, so I guessed it was ok.
> >> >>
> >> >> But when installing and using pfring options (/suricata --pfring-int
> >> >> eth1 --pfring-cluster-id=99 --pfring-cluster-type cluster_flow -c
> >> >> /etc/suricata/suricata.yaml/), I get these error messages.
> >> >> PF_RING is the last version I could get at
> >> >> /https://svn.ntop.org/svn/ntop/trunk/PF_RING// though I got it via a
> >> >> windows svn and not via the server(I don't think it changes anything,
> >> >> though).
> >> >>
> >> >> I've searched but have not found any reference to the errcode or any
> of
> >> >> the other error messages, thus I'd like to ask if someone have an
> idea
> >> >> of the problem.
> >> >
> >> > This error "Wrong RING version: kernel is 12, libpfring was compiled
> >> > with 9" sounds pretty serious to me. Mismatch between kernel pfring
> >> > version and the userland lib?
> >> >
> >> > Cheers,
> >> > Victor
> >> > --
> >> > ---------------------------------------------
> >> > Victor Julien
> >> > http://www.inliniac.net/
> >> > PGP: http://www.inliniac.net/victorjulien.asc
> >> > ---------------------------------------------
> >> >
> >> > _______________________________________________
> >> > Oisf-users mailing list
> >> > Oisf-users at openinfosecfoundation.org
> >> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20101117/38176dd4/attachment-0002.html>

More information about the Oisf-users mailing list