[Oisf-users] Problem when running suricata with PF_RING

Tue Oct 5 13:57:56 UTC 2010

Thats what it sounds like to me as well. Whenever I get 20 minutes or
so I can try to build on my end from the latest PF_RING version.

Regards,

Will

On Tue, Oct 5, 2010 at 8:04 AM, Victor Julien <victor at inliniac.net> wrote:
> Sylvain Chillaud wrote:
>> Hello,
>>
>> I've been trying to install suricata with pf_ring, following the
>> instructions in INSTALL.PF_RING in the doc directory of the
>> suricata-1.0.2 tarball (and the giude on the oisf website).
>> I've managed to configure and compile it, but when running it I get the
>> following errors :
>>
>>
>> /[16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:248) <Info>
>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
>> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:255) <Info>
>> (ReceivePfringThreadInit) -- going to use interface eth2
>> Wrong RING version: kernel is 12, libpfring was compiled with 9
>> [16815] 5/10/2010 -- 12:11:46 - (source-pfring.c:260) <Error>
>> (ReceivePfringThreadInit) -- [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
>> pfring_open error
>> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:370) <Info>
>> (StreamTcpInitConfig) -- stream "max_sessions": 262144
>> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:382) <Info>
>> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
>> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:392) <Info>
>> (StreamTcpInitConfig) -- stream "memcap": 33554432
>> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:399) <Info>
>> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
>> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:407) <Info>
>> (StreamTcpInitConfig) -- stream "async_oneside": disabled
>> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:416) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
>> [16781] 5/10/2010 -- 12:11:46 - (stream-tcp.c:436) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
>> [16781] 5/10/2010 -- 12:11:47 - (tm-threads.c:1416) <Error>
>> (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread
>> "ReceivePfring" closed on initialization.
>> [16781] 5/10/2010 -- 12:11:47 - (suricata.c:1128) <Error> (main) --
>> [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed,
>> aborting.../
>>
>>
>>
>> The server is not a clean server (as in : just installed), there are
>> other applications on it, including a snort.
>> It is a debian 5 lenny, kernel 2.6.26-2-amd64.
>>
>> I used aptitude to upgrade/install the packages needed, got some errors
>> with libpcap-dev and libpcap0.8-dev (as if the files were corrupted, it
>> couldn't open them), but these are said to be required for the install
>> without pf_ring as well, and suricata without pf_ring options started
>> all right anyway, so I guessed it was ok.
>>
>> But when installing and using pfring options (/suricata --pfring-int
>> eth1 --pfring-cluster-id=99 --pfring-cluster-type cluster_flow -c
>> /etc/suricata/suricata.yaml/), I get these error messages.
>> PF_RING is the last version I could get at
>> /https://svn.ntop.org/svn/ntop/trunk/PF_RING// though I got it via a
>> windows svn and not via the server(I don't think it changes anything,
>> though).
>>
>> I've searched but have not found any reference to the errcode or any of
>> the other error messages, thus I'd like to ask if someone have an idea
>> of the problem.
>
> This error "Wrong RING version: kernel is 12, libpfring was compiled
> with 9" sounds pretty serious to me. Mismatch between kernel pfring
> version and the userland lib?
>
> Cheers,
> Victor
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>