[Oisf-users] Problem when running suricata with PF_RING
Victor Julien
victor at inliniac.net
Tue Oct 5 13:04:47 UTC 2010
Sylvain Chillaud wrote:
> Hello,
>
> I've been trying to install suricata with pf_ring, following the
> instructions in INSTALL.PF_RING in the doc directory of the
> suricata-1.0.2 tarball (and the giude on the oisf website).
> I've managed to configure and compile it, but when running it I get the
> following errors :
>
>
> /[16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:248) <Info>
> (ReceivePfringThreadInit) -- Going to use cluster-id 99
> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:255) <Info>
> (ReceivePfringThreadInit) -- going to use interface eth2
> Wrong RING version: kernel is 12, libpfring was compiled with 9
> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:260) <Error>
> (ReceivePfringThreadInit) -- [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
> pfring_open error
> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:370) <Info>
> (StreamTcpInitConfig) -- stream "max_sessions": 262144
> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:382) <Info>
> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:392) <Info>
> (StreamTcpInitConfig) -- stream "memcap": 33554432
> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:399) <Info>
> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:407) <Info>
> (StreamTcpInitConfig) -- stream "async_oneside": disabled
> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:416) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:436) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
> [16781] 5/10/2010 -- 12:11:47 - (tm-threads.c:1416) <Error>
> (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread
> "ReceivePfring" closed on initialization.
> [16781] 5/10/2010 -- 12:11:47 - (suricata.c:1128) <Error> (main) --
> [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed,
> aborting.../
>
>
>
> The server is not a clean server (as in : just installed), there are
> other applications on it, including a snort.
> It is a debian 5 lenny, kernel 2.6.26-2-amd64.
>
> I used aptitude to upgrade/install the packages needed, got some errors
> with libpcap-dev and libpcap0.8-dev (as if the files were corrupted, it
> couldn't open them), but these are said to be required for the install
> without pf_ring as well, and suricata without pf_ring options started
> all right anyway, so I guessed it was ok.
>
> But when installing and using pfring options (/suricata --pfring-int
> eth1 --pfring-cluster-id=99 --pfring-cluster-type cluster_flow -c
> /etc/suricata/suricata.yaml/), I get these error messages.
> PF_RING is the last version I could get at
> /https://svn.ntop.org/svn/ntop/trunk/PF_RING// though I got it via a
> windows svn and not via the server(I don't think it changes anything,
> though).
>
> I've searched but have not found any reference to the errcode or any of
> the other error messages, thus I'd like to ask if someone have an idea
> of the problem.
This error "Wrong RING version: kernel is 12, libpfring was compiled
with 9" sounds pretty serious to me. Mismatch between kernel pfring
version and the userland lib?
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list