[Oisf-users] Suricata with PF_RING on latest git
Chris Wakelin
c.d.wakelin at reading.ac.uk
Thu Jul 5 17:50:13 EDT 2012
It's sort of working for me on 12.04, but I'm testing with PF_RING and
DNA (so no normal PF_RING cluster) and on a machine with no live
traffic, just the two 10Gb ports connected together.
I'm losing HTTP entries though, but not packets, on my test pcap
(suricata -r has 12000 entries in http.log; I'm getting only half that
with PF_RING DNA). I'm not sure whether this is due to my setup or
possible bugs in PF_RING DNA/libzero though.
I'll know more on Tuesday when I hopefully get some live traffic from
our campus border switch (after we upgrade its firmware to cope with
10Gb port-mirroring).
Best Wishes,
Chris
On 05/07/12 22:40, Edward Fjellskål wrote:
> On 07/05/2012 10:48 PM, Eric Leblond wrote:
>> Hello,
>
>> Le jeudi 05 juillet 2012 à 22:04 +0200, Edward Fjellskål a écrit :
>>> On 07/05/2012 03:02 PM, Victor Julien wrote:
>>>> On 07/04/2012 10:56 PM, Edward Fjellskål wrote:
>>>>>> From the testing Im doing now, about 50% of the times I
>>>>>> stop
>>>>> suricata, it wont... One time it spit out some info about it
>>>>> taking too long to shut down, and after a little while killed
>>>>> itself!
>>>>
>>>> This should be fixed in the current master.
>> ...
>>> Ubuntu 12.04 with PF_RING v.5.4.4 from git yesterday.
>>>
>>> Things where working better with yesterdays suricata from git :)
>
>> I've rebuilt on my VM and run some tests but I did not manage to
>> reproduce it :/
>
>> Do you have something in stats.log ? Does suricata detect if you
>> enter a CTRL+C ?
>
>> BR,
>
>
>
> CTRL+C has no effect.
>
> I let it hang for a good while:
> 24224] 5/7/2012 -- 22:03:57 - (tm-threads.c:1991) <Info>
> (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 3
> management threads initialized, engine started.
> ^C[24224] 5/7/2012 -- 22:04:20 - (suricata.c:1837) <Info> (main) --
> stopping engine, waiting for outstanding packets
> [24224] 5/7/2012 -- 22:06:20 - (suricata.c:1860) <Error> (main) --
> [ERRCODE: SC_ERR_SHUTDOWN(193)] - shutdown taking too long, likely a
> bug! (1022 != 1024).
> [24224] 5/7/2012 -- 22:06:20 - (suricata.c:1872) <Info> (main) -- all
> packets processed by threads, stopping engine
> [24227] 5/7/2012 -- 22:06:21 - (flow-manager.c:549) <Info>
> (FlowManagerThread) -- 0 new flows, 0 established flows were timed
> out, 0 flows in closed state
> [24224] 5/7/2012 -- 22:07:58 - (tm-threads.c:1538) <Error>
> (TmThreadDisableReceiveThreads) -- [ERRCODE: SC_ERR_FATAL(176)] -
> Engine unable to disable receive thread - "RxPFReth11". Killing engine
>
>
>
> The statslog spits out just zeros :(
>
> -------------------------------------------------------------------
> Date: 7/5/2012 -- 23:24:48 (uptime: 0d, 00h 01m 35s)
> -------------------------------------------------------------------
> Counter | TM Name | Value
> -------------------------------------------------------------------
> flow_mgr.closed_pruned | FlowManagerThread | 0
> flow_mgr.new_pruned | FlowManagerThread | 0
> flow_mgr.est_pruned | FlowManagerThread | 0
> flow.memuse | FlowManagerThread | 6390016
> flow.spare | FlowManagerThread | 10000
> flow.emerg_mode_entered | FlowManagerThread | 0
> flow.emerg_mode_over | FlowManagerThread | 0
> decoder.pkts | RxPFReth11 | 0
> decoder.bytes | RxPFReth11 | 0
> decoder.ipv4 | RxPFReth11 | 0
> decoder.ipv6 | RxPFReth11 | 0
> ...
> ...
>
> tcpdump works fine :)
>
>
> af-packet works, but not as good as yesterday ether :/
> Will look more on this during the weekend
>
> E
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-users
mailing list