[Oisf-users] Error compiling suricata 1.3.2 against pf_ring 5.4.6

C. L. Martinez carlopmart at gmail.com
Tue Oct 30 07:29:07 UTC 2012 

On Mon, Oct 29, 2012 at 9:09 PM, Peter Manev <petermanev at gmail.com> wrote:
> Hi Carlo,
>
> I just followed the guide here for the pfring installation:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1204
>
> and i was able to build Suricata with pfring without any trouble on CenOS.
> -
>
> [user at localhost oisf]$ LD_LIBRARY_PATH=/usr/local/pfring/lib suricata
> --build-info
> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:540) <Info> (SCPrintBuildInfo)
> -- This is Suricata version 1.4dev (rev bca1b7c)
> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:613) <Info> (SCPrintBuildInfo)
> -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET
> HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
> HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:627) <Info> (SCPrintBuildInfo)
> -- 64-bits, Little-endian architecture
> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:629) <Info> (SCPrintBuildInfo)
> -- GCC version 4.4.6 20120305 (Red Hat 4.4.6-4), C version 199901
> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:635) <Info> (SCPrintBuildInfo)
> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:638) <Info> (SCPrintBuildInfo)
> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:641) <Info> (SCPrintBuildInfo)
> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:644) <Info> (SCPrintBuildInfo)
> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:647) <Info> (SCPrintBuildInfo)
> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
>
> [user at localhost oisf]$ cat /proc/net/pf_ring/info
> PF_RING Version     : 5.4.6 ($Revision: exported$)
> Ring slots          : 4096
> Slot version        : 14
> Capture TX          : Yes [RX+TX]
> IP Defragment       : No
> Socket Mode         : Standard
> Transparent mode    : Yes (mode 0)
> Total rings         : 0
> Total plugins       : 0
> [user at localhost oisf]$
>
> [user at localhost oisf]$ uname -a
> Linux localhost.localdomain 2.6.32-279.5.2.el6.x86_64 #1 SMP Fri Aug 24
> 01:07:11 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
> [user at localhost oisf]$
>
> [user at localhost oisf]$ cat /etc/redhat-release
> CentOS release 6.3 (Final)
>
>
> My configure/compile line was:
>
> sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git
>  cd oisf/
>  sudo ./autogen.sh
>  ./configure --enable-pfring
> --with-libpfring-includes=/usr/local/pfring/include
> --with-libpfring-libraries=/usr/local/pfring/lib
> --with-libpcap-includes=/usr/local/pfring/include
> --with-libpcap-libraries=/usr/local/pfring/lib
> make clean
> make
> sudo make install
> sudo ldconfig
>
> or if you like an all-in-one line, just execute:
>

Ok, I have do it more tests.

a) Compile suricata without pf_ring options:

  export LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/lib:/lib64:/opt/pf_ring/lib:/opt/libpcap/lib
  ./configure --prefix=/opt/suricata --enable-af-packet
--enable-profiling --with-libpcap-includes=/opt/libpcap/include
--with-libpcap-libraries=/opt/libpcap/lib

 Result is: works. Then, libpcap is not the problem

b) Compile suricata with pf_ring options and modified pf_ring libpcap
installed in the same path where pf_ring is located.

  export LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/lib:/lib64:/opt/pf_ring/lib
  ./configure --prefix=/opt/suricata --enable-pfring
--enable-af-packet --enable-profiling
--with-libpfring-includes=/opt/pf_ring/include
--with-libpfring-libraries=/opt/pf_ring/lib
--with-libpcap-includes=/opt/pf_ring/include
--with-libpcap-libraries=/opt/pf_ring/lib

  Result is: fails. With the following errors:

checking for pfring_open in -lpfring... yes
checking for pfring_enable_ring in -lpfring... yes
checking for pfring_set_cluster in -lpfring... yes
checking for pfring_set_bpf_filter in -lpfring... yes
checking for pfring_remove_bpf_filter in -lpfring... yes
checking if pfring_recv expects u_char**... yes
checking for post 5.4.0 pfring_open function... yes
checking pcap.h usability... yes
checking pcap.h presence... yes
checking for pcap.h... yes
checking for pcap_open_live in -lpcap... yes
checking for pcap_activate in -lpcap... yes
checking for pcap_set_buffer_size in -lpcap... yes
checking whether TPACKET_V2 is declared... yes
checking whether PACKET_FANOUT is declared... no
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking cap-ng.h usability... yes
checking cap-ng.h presence... yes
checking for cap-ng.h... yes
checking for capng_clear in -lcap-ng... no

   WARNING!  libcap-ng library not found, go get it
   from http://people.redhat.com/sgrubb/libcap-ng/
   or your distribution:

   Ubuntu: apt-get install libcap-ng-dev
   Fedora: yum install libcap-ng-devel

   Suricata will be built without support for dropping privs.

checking nspr.h usability... no
checking nspr.h presence... no
checking for nspr.h... no
checking sechash.h usability... no
checking sechash.h presence... no
checking for sechash.h... no
checking magic.h usability... yes
checking magic.h presence... yes
checking for magic.h... yes
checking for magic_open in -lmagic... no

   ERROR!  magic library not found, go get it
   from http://www.darwinsys.com/file/ or your distribution:

   Ubuntu: apt-get install libmagic-dev
   Fedora: yum install file-devel

As you can see, pfring libs and libpcap libs are detected ... But
under config.log appears this error:

configure:21372: gcc -o conftest -g -O2 -Wextra -Wall
-fno-strict-aliasing -fno-tree-pre -Wno-unused-parameter -std=gnu99
-march=native -DHAVE_LIBNET11 -D_BSD_SOURCE -D__BSD_SOURCE
-D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DHAVE_LIBNET_ICMPV6_UNREACH
-DHAVE_PFRING  -I/opt/libpcap/include -DLIBPCAP_VERSION_MAJOR=1
-DHAVE_PCAP_SET_BUFF  -I/opt/pf_ring/include -I/opt/libpcap/include
-L/opt/pf_ring/lib  -L/opt/pf_ring/lib conftest.c -lmagic  -lpcap
-lpfring -lpfring -lpfring -lpfring -lpfring -lnet -lpthread -lyaml
-lpcre  >&5
/opt/pf_ring/lib/libpfring.so: undefined reference to `pcap_compile_nopcap'
collect2: ld returned 1 exit status
configure:21379: $? = 1
configure: failed program was:

Which is correct, because libpcap is installed under /opt/libpcap and
not under /opt/pf_ring (I have created some soflinks for libpcap
includes and libs under pf_ring).

This means, at least to me, that libpcap includes and libraries must
be installed in the same path as those of pf_ring. And, IMHO, this is
a bug. Because bro, snort and snort-razorback compile and works ok
using different paths for pf_ring and libpcap includes and libs ...

 Or am I totally wrong??

More information about the Oisf-users mailing list