[Oisf-users] interface won't enter promiscuous mode when run suricata with --pfring
Delta Yeh
delta.yeh at gmail.com
Thu Aug 9 08:00:17 UTC 2012
I check it again, both driver and userland library of pfring are v5.2.1,
In pfring.h, I see
/* ********************************* */
pfring* pfring_open(char *device_name, u_int8_t promisc,
u_int32_t caplen, u_int8_t reentrant);
while in source-pfring.c, I see
#ifdef HAVE_PFRING_OPEN_NEW
ptv->pd = pfring_open(ptv->interface, (uint32_t)default_packet_size,
PF_RING_REENTRANT | PF_RING_LONG_HEADER |
PF_RING_PROMISC);
#else
ptv->pd = pfring_open(ptv->interface, LIBPFRING_PROMISC,
(uint32_t)default_packet_size, LIBPFRING_REENTRANT);
#endif
We can see both PF_RING_REENTRANT are PF_RING_PROMISC are set.
But something different with old pfring_open.
Do you mean LIBPFRING_REENTRANT == 0 is set reentrant flag for old
pfring_open API?
Is it possible this is a bug(reentrant and promisc flag are switched)
of pring userland library?
2012/8/9 Eric Leblond <eric at regit.org>:
> Hello,
>
> Le jeudi 09 août 2012 à 15:24 +0800, Delta Yeh a écrit :
>> If I change the macro in source-pfring.c
>> #define LIBPFRING_REENTRANT 0
>>
>> to
>>
>> #define LIBPFRING_REENTRANT 1
>>
>> it works.
>>
>> Why I do this is because I notice that with new pfring_open, flags
>> PF_RING_REENTRANT | PF_RING_LONG_HEADER | PF_RING_PROMISC
>> is set, but with old pfring_open, the LIBPFRING_REENTRANT is 0.
>>
>>
>> So my question now is why LIBPFRING_REENTRANT affect promiscuous mode?
>
> Something is messed up here. Suricata code looks correct for me: it
> respect PF_RING API.
>
> Are you using synchronised version of PF_RING library and driver ?
>
> BR,
>
>>
>>
>> 2012/8/9 Delta Yeh <delta.yeh at gmail.com>:
>> > Hi,
>> > When I run suricata 1.3rc1 with --pfring, the interface won't
>> > enter promiscuous mode.
>> > I have to set interface promiscuous mode manually with ifconfig to
>> > make suricata works.
>> > The pfring I use is 5.2.1 , the OS is debian 5.
>> >
>> > If I start suricata with pcap , everything is OK.
>> >
>> > Any suggestion?
>> >
>> > Thanks in advance.
>> >
>> >
>> >
>> > BR
>> > DeltaY
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> --
> Eric Leblond
> Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
More information about the Oisf-users
mailing list