[Oisf-users] Problem when running suricata with PF_RING
Sylvain Chillaud
sylvain.chillaud at gmail.com
Tue Oct 5 12:59:33 UTC 2010
Hello,
I've been trying to install suricata with pf_ring, following the
instructions in INSTALL.PF_RING in the doc directory of the suricata-1.0.2
tarball (and the giude on the oisf website).
I've managed to configure and compile it, but when running it I get the
following errors :
*[16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:248) <Info>
(ReceivePfringThreadInit) -- Going to use cluster-id 99
[16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:255) <Info>
(ReceivePfringThreadInit) -- going to use interface eth2
Wrong RING version: kernel is 12, libpfring was compiled with 9
[16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:260) <Error>
(ReceivePfringThreadInit) -- [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
pfring_open error
[16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:370) <Info>
(StreamTcpInitConfig) -- stream "max_sessions": 262144
[16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:382) <Info>
(StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
[16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:392) <Info>
(StreamTcpInitConfig) -- stream "memcap": 33554432
[16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:399) <Info>
(StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:407) <Info>
(StreamTcpInitConfig) -- stream "async_oneside": disabled
[16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:416) <Info>
(StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:436) <Info>
(StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[16781] 5/10/2010 -- 12:11:47 - (tm-threads.c:1416) <Error>
(TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread
"ReceivePfring" closed on initialization.
[16781] 5/10/2010 -- 12:11:47 - (suricata.c:1128) <Error> (main) --
[ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed,
aborting...*
The server is not a clean server (as in : just installed), there are other
applications on it, including a snort.
It is a debian 5 lenny, kernel 2.6.26-2-amd64.
I used aptitude to upgrade/install the packages needed, got some errors with
libpcap-dev and libpcap0.8-dev (as if the files were corrupted, it couldn't
open them), but these are said to be required for the install without
pf_ring as well, and suricata without pf_ring options started all right
anyway, so I guessed it was ok.
But when installing and using pfring options (*suricata --pfring-int eth1
--pfring-cluster-id=99 --pfring-cluster-type cluster_flow -c
/etc/suricata/suricata.yaml*), I get these error messages.
PF_RING is the last version I could get at *
https://svn.ntop.org/svn/ntop/trunk/PF_RING/* though I got it via a windows
svn and not via the server(I don't think it changes anything, though).
I've searched but have not found any reference to the errcode or any of the
other error messages, thus I'd like to ask if someone have an idea of the
problem.
Thanks,
Sylvain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20101005/8a8b2aaf/attachment-0002.html>
More information about the Oisf-users
mailing list