[Oisf-users] interface won't enter promiscuous mode when run suricata with --pfring
Eric Leblond
eric at regit.org
Thu Aug 9 08:31:51 UTC 2012
Hello,
Le jeudi 09 août 2012 à 16:00 +0800, Delta Yeh a écrit :
> I check it again, both driver and userland library of pfring are v5.2.1,
Good! I prefer to check stupid things first...
5.2.1 is using the old pfring_open()
>
> In pfring.h, I see
>
> /* ********************************* */
>
> pfring* pfring_open(char *device_name, u_int8_t promisc,
> u_int32_t caplen, u_int8_t reentrant);
>
> while in source-pfring.c, I see
>
> #ifdef HAVE_PFRING_OPEN_NEW
Can you check HAVE_PFRING_OPEN_NEW is undef in config.h, you should have
at root directory of suricata source in config.h:
/* For post 5.4.0 version of pfring_open */
/* #undef HAVE_PFRING_OPEN_NEW */
It should be the case as it builds...
> ptv->pd = pfring_open(ptv->interface, LIBPFRING_PROMISC,
> (uint32_t)default_packet_size, LIBPFRING_REENTRANT);
This part should apply not the first one. As you can see, suricata is
putting the promisc option at the good place.
Are you using a non little endian architecture (non x86 mainly) here ?
Anyway, this looks like an issue in PF_RING. Is it possible for you to
upgrade ?
BR,
--
Eric Leblond
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120809/0c4c8344/attachment.sig>
More information about the Oisf-users
mailing list