[Oisf-users] Suricata with PF_RING on latest git

Fri Jul 6 11:41:52 UTC 2012

Another possible fix for this pthread issue is to patch the Makefile for
PF_RING's libpcap:

--- userland/libpcap-1.1.1-ring/Makefile.in.orig        2011-11-18
14:26:16.000000000 +0000
+++ userland/libpcap-1.1.1-ring/Makefile.in     2012-07-06
12:28:15.095829722 +0100
@@ -48,7 +48,7 @@
 CC = @CC@
 CCOPT = @V_CCOPT@
 PF_RING_INCLUDES=-I ../../kernel -I ../lib
-PF_RING_LIBS= ../lib/libpfring.a
+PF_RING_LIBS= ../lib/libpfring.a -lpthread
 INCLS = -I. @V_INCLS@ $(PF_RING_INCLUDES)
 DEFS = @DEFS@ @V_DEFS@ -DHAVE_PF_RING
 ADDLOBJS = @ADDLOBJS@

(which matches what's in the Makefile.in for tcpdump-1.1.1) and running
"./configure; make" gives

> ldd libpcap.so.1.1.1 
>         linux-vdso.so.1 =>  (0x00007fffc84b3000)
>         libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f5e52bd5000)
>         libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5e52818000)
>         /lib64/ld-linux-x86-64.so.2 (0x00007f5e53050000)

and the original Suricata configure script now works.

I also hit problems with Bro that are fixed by this.

Luca, is this a correct fix?

Strange that it's only a problem in Ubuntu 12.0.4!

Best Wishes,
Chris

On 04/07/12 21:36, Chris Wakelin wrote:
> Actually, I hit the same problem.
> 
> The issue seems to be the libpthread library doesn't get found.
> 
> When you build PF_RING libraries you find the shared library depends on
> libpthread:
> 
>> ldd libpfring.so 
>>         linux-vdso.so.1 =>  (0x00007fff681c0000)
>>         libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb691144000)
>>         libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb690d87000)
>>         /lib64/ld-linux-x86-64.so.2 (0x00007fb691589000)
> 
> but the shared libcap library (which is statically linked to
> libpfring.a) doesn't:
> 
>> ldd libpcap.so.1.1.1 
>>         linux-vdso.so.1 =>  (0x00007fffd8385000)
>>         libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f695471b000)
>>         /lib64/ld-linux-x86-64.so.2 (0x00007f6954d36000)
> 
> I'm not good enough at this sort of thing to know how to fix it
> properly, but I hacked the Suricata "configure" script to add
> "-lpthread" explicitly:-
> 
>  $as_echo_n "checking for pcap_open_live in -lpcap... " >&6; }
>  if ${ac_cv_lib_pcap_pcap_open_live+:} false; then :
>    $as_echo_n "(cached) " >&6
>  else
>    ac_check_lib_save_LIBS=$LIBS
> -LIBS="-lpcap $LIBS"
> +LIBS="-lpcap -lpthread $LIBS"
> 
> which seems to fix it.
> 
> What confuses me is that "-lpthread" is already in the generated compile
> flags, but somehow the order matters, at least in Ubuntu 12.04.
> 
> Best Wishes,
> Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094



