[Oisf-users] Problem when running suricata with PF_RING
Will Metcalf
william.metcalf at gmail.com
Wed Nov 17 16:20:33 UTC 2010
Right the seds that modify the Makefile's are there just for good
measure, Say if you have already run configure previously or
something.
Can you show me any error messages please?
Regards,
Will
On Wed, Nov 17, 2010 at 10:14 AM, Sylvain Chillaud
<sylvain.chillaud at gmail.com> wrote:
> Ok, so I made a bit of cleaning and began from semi-scratch (did not
> uninstall the first packages needed for suricata itself), going very
> carefuly.
>
> Righ now the problem is still here. I'll try different things and keep you
> posted.
>
>
>
> However, through this install process, I've noticed glitches in the
> INSTALL.PF_RING that you might want to know of and correct.
>
> At the part where we have to go to PF_RING/userland/tcpdump-4.0.0/
> Instructions says to do :
>
> sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/'
> Makefile
> sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/'
> Makefile.in
> sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/'
> Makefile
> sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/'
> Makefile.in
> sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//'
> Makefile
> sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//'
> Makefile.in
>
> First thing, I noticed that there is no Makefile, just Makefile.in. Don't
> know if it's important, though.
> Second thing I noticed, in these sed commands, there seems to be some "\"
> and "/" that should not be there in the lasts ones. The result is that the
> parameter is not changed in the file. Correcting sed -i -e 's/-L
> \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//' Makefile.in
> to sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring/-L \/opt\/PF_RING\/lib/'
> Makefile.in made the trick for me.
>
>
>
> If there is anything I can provide to help find where this error comes from,
> let me know.
>
> Regards,
>
> Sylvain
>
>
> 2010/11/16 Will Metcalf <william.metcalf at gmail.com>
>>
>> Hmm, Yes I did indeed try. There was a bug in PF_RING that I reported
>> to Luca and was fixed and now it works properly. Are you still
>> getting the same error message? Perhaps you should use dkms to remove
>> any versions of PF_RING modules you have installed. Once you have
>> done this nuke the /opt/PF_RING/ dir and restart the install procedure
>> from scratch.
>>
>> Regards,
>>
>> Will
>>
>> On Tue, Nov 16, 2010 at 3:20 AM, Sylvain Chillaud
>> <sylvain.chillaud at gmail.com> wrote:
>> > bump
>> >
>> > I've been trying with the latest rev of PF_RING but I still get the same
>> > error.
>> >
>> > Did you give it a try, Will ?
>> >
>> > 2010/10/5 Will Metcalf <william.metcalf at gmail.com>
>> >>
>> >> Thats what it sounds like to me as well. Whenever I get 20 minutes or
>> >> so I can try to build on my end from the latest PF_RING version.
>> >>
>> >> Regards,
>> >>
>> >> Will
>> >>
>> >> On Tue, Oct 5, 2010 at 8:04 AM, Victor Julien <victor at inliniac.net>
>> >> wrote:
>> >> > Sylvain Chillaud wrote:
>> >> >> Hello,
>> >> >>
>> >> >> I've been trying to install suricata with pf_ring, following the
>> >> >> instructions in INSTALL.PF_RING in the doc directory of the
>> >> >> suricata-1.0.2 tarball (and the giude on the oisf website).
>> >> >> I've managed to configure and compile it, but when running it I get
>> >> >> the
>> >> >> following errors :
>> >> >>
>> >> >>
>> >> >> /[16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:248) <Info>
>> >> >> (ReceivePfringThreadInit) -- Going to use cluster-id 99
>> >> >> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:255) <Info>
>> >> >> (ReceivePfringThreadInit) -- going to use interface eth2
>> >> >> Wrong RING version: kernel is 12, libpfring was compiled with 9
>> >> >> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:260) <Error>
>> >> >> (ReceivePfringThreadInit) -- [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
>> >> >> pfring_open error
>> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:370) <Info>
>> >> >> (StreamTcpInitConfig) -- stream "max_sessions": 262144
>> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:382) <Info>
>> >> >> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
>> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:392) <Info>
>> >> >> (StreamTcpInitConfig) -- stream "memcap": 33554432
>> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:399) <Info>
>> >> >> (StreamTcpInitConfig) -- stream "midstream" session pickups:
>> >> >> disabled
>> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:407) <Info>
>> >> >> (StreamTcpInitConfig) -- stream "async_oneside": disabled
>> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:416) <Info>
>> >> >> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
>> >> >> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:436) <Info>
>> >> >> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
>> >> >> [16781] 5/10/2010 -- 12:11:47 - (tm-threads.c:1416) <Error>
>> >> >> (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] -
>> >> >> thread
>> >> >> "ReceivePfring" closed on initialization.
>> >> >> [16781] 5/10/2010 -- 12:11:47 - (suricata.c:1128) <Error> (main) --
>> >> >> [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed,
>> >> >> aborting.../
>> >> >>
>> >> >>
>> >> >>
>> >> >> The server is not a clean server (as in : just installed), there are
>> >> >> other applications on it, including a snort.
>> >> >> It is a debian 5 lenny, kernel 2.6.26-2-amd64.
>> >> >>
>> >> >> I used aptitude to upgrade/install the packages needed, got some
>> >> >> errors
>> >> >> with libpcap-dev and libpcap0.8-dev (as if the files were corrupted,
>> >> >> it
>> >> >> couldn't open them), but these are said to be required for the
>> >> >> install
>> >> >> without pf_ring as well, and suricata without pf_ring options
>> >> >> started
>> >> >> all right anyway, so I guessed it was ok.
>> >> >>
>> >> >> But when installing and using pfring options (/suricata --pfring-int
>> >> >> eth1 --pfring-cluster-id=99 --pfring-cluster-type cluster_flow -c
>> >> >> /etc/suricata/suricata.yaml/), I get these error messages.
>> >> >> PF_RING is the last version I could get at
>> >> >> /https://svn.ntop.org/svn/ntop/trunk/PF_RING// though I got it via a
>> >> >> windows svn and not via the server(I don't think it changes
>> >> >> anything,
>> >> >> though).
>> >> >>
>> >> >> I've searched but have not found any reference to the errcode or any
>> >> >> of
>> >> >> the other error messages, thus I'd like to ask if someone have an
>> >> >> idea
>> >> >> of the problem.
>> >> >
>> >> > This error "Wrong RING version: kernel is 12, libpfring was compiled
>> >> > with 9" sounds pretty serious to me. Mismatch between kernel pfring
>> >> > version and the userland lib?
>> >> >
>> >> > Cheers,
>> >> > Victor
>> >> > --
>> >> > ---------------------------------------------
>> >> > Victor Julien
>> >> > http://www.inliniac.net/
>> >> > PGP: http://www.inliniac.net/victorjulien.asc
>> >> > ---------------------------------------------
>> >> >
>> >> > _______________________________________________
>> >> > Oisf-users mailing list
>> >> > Oisf-users at openinfosecfoundation.org
>> >> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> >
>> >
>> >
>
>
More information about the Oisf-users
mailing list