[Oisf-users] Suricata with PF_RING on latest git

Chris Wakelin c.d.wakelin at reading.ac.uk
Wed Jul 4 20:36:12 UTC 2012 

Actually, I hit the same problem.

The issue seems to be the libpthread library doesn't get found.

When you build PF_RING libraries you find the shared library depends on
libpthread:

> ldd libpfring.so 
>         linux-vdso.so.1 =>  (0x00007fff681c0000)
>         libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb691144000)
>         libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb690d87000)
>         /lib64/ld-linux-x86-64.so.2 (0x00007fb691589000)

but the shared libcap library (which is statically linked to
libpfring.a) doesn't:

> ldd libpcap.so.1.1.1 
>         linux-vdso.so.1 =>  (0x00007fffd8385000)
>         libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f695471b000)
>         /lib64/ld-linux-x86-64.so.2 (0x00007f6954d36000)

I'm not good enough at this sort of thing to know how to fix it
properly, but I hacked the Suricata "configure" script to add
"-lpthread" explicitly:-

 $as_echo_n "checking for pcap_open_live in -lpcap... " >&6; }
 if ${ac_cv_lib_pcap_pcap_open_live+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpcap $LIBS"
+LIBS="-lpcap -lpthread $LIBS"

which seems to fix it.

What confuses me is that "-lpthread" is already in the generated compile
flags, but somehow the order matters, at least in Ubuntu 12.04.

Best Wishes,
Chris

On 04/07/12 20:35, Edward Fjellskål wrote:
> On 06/19/2012 03:55 PM, Peter Bates wrote:
>>
>> Hello again all
>>
>> I'm mostly trying to follow: 
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104
> 
> I
>>
> just tried:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1204
> 
> on a new installed host.
> 
> Same issues as Peter :(
> 
> also:
> "If I install libpcap-dev (i.e. the distro supplied one)
> then everything builds okay."
> 
> And it seems to work okay... from a 5 minute test...
> 
> E
> 
> 
>> At the moment it doesn't seem to build with libpcap in another 
>> location either - or am I missing something?
>>
>> ./configure --with-libpcap-includes=/usr/local/include 
>> --with-libpcap-libraries=/usr/local/lib
>>
>> checking pcap.h usability... yes checking pcap.h presence... yes 
>> checking for pcap.h... yes checking for pcap_open_live in -lpcap...
>> no
>>
>> ERROR!  libpcap library not found, go get it from
>> http://www.tcpdump.org or your distribution:
>>
>> Ubuntu: apt-get install libpcap-dev Fedora: yum install
>> libpcap-devel
>>
>> In config.log:
>>
>> configure:15618: checking for pcap.h configure:15618: result: yes 
>> configure:15632: checking for pcap_open_live in -lpcap 
>> configure:15657: gcc -o conftest -g -O2 -Wextra -Wall
>> -fno-strict-aliasing -fno-tree-pre -Wno-unused-parameter -std=gnu99
>> -march=native -DHAVE_LIBNET11 -D_BSD_SOURCE -D__BSD_SOURCE
>> -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H  -I/usr/local/include 
>> -L/usr/local/lib conftest.c -lpcap  -lnet -lpthread -lyaml -lpcre
>>> &5 /usr/local/lib/libpcap.so: undefined reference to
>> `pfring_get_ring_id' /usr/local/lib/libpcap.so: undefined reference
>> to `pfring_breakloop' /usr/local/lib/libpcap.so: undefined
>> reference to `pfring_enable_ring' /usr/local/lib/libpcap.so:
>> undefined reference to `pfring_send' <snip>
>>
>> I can see there is clearly an interaction between the PF_RING
>> modified libpcap and this process.
>>
>> If I install libpcap-dev (i.e. the distro supplied one) then
>> everything builds okay.
>>
>>
>> _______________________________________________ Oisf-users mailing
>> list Oisf-users at openinfosecfoundation.org 
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 


-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-users mailing list