[Oisf-users] interface won't enter promiscuous mode when run suricata with --pfring

Eric Leblond eric at regit.org
Thu Aug 9 08:31:51 UTC 2012


Hello,

Le jeudi 09 août 2012 à 16:00 +0800, Delta Yeh a écrit :
> I check it again, both driver and userland library of pfring are v5.2.1,

Good! I prefer to check stupid things first...

5.2.1 is using the old pfring_open()

> 
> In pfring.h, I see
> 
>    /* ********************************* */
> 
>   pfring* pfring_open(char *device_name, u_int8_t promisc,
>                       u_int32_t caplen, u_int8_t reentrant);
> 
> while in source-pfring.c, I see
> 
> #ifdef HAVE_PFRING_OPEN_NEW

Can you check HAVE_PFRING_OPEN_NEW is undef in config.h, you should have
at root directory of suricata source in config.h:

/* For post 5.4.0 version of pfring_open */
/* #undef HAVE_PFRING_OPEN_NEW */

It should be the case as it builds...

>     ptv->pd = pfring_open(ptv->interface, LIBPFRING_PROMISC,
> (uint32_t)default_packet_size, LIBPFRING_REENTRANT);

This part should apply not the first one. As you can see, suricata is
putting the promisc option at the good place.

Are you using a non little endian architecture (non x86 mainly) here ?

Anyway, this looks like an issue in PF_RING. Is it possible for you to
upgrade ?

BR,
-- 
Eric Leblond 
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120809/0c4c8344/attachment.sig>


More information about the Oisf-users mailing list