[Oisf-users] Error compiling suricata 1.3.2 against pf_ring 5.4.6
Martin Holste
mcholste at gmail.com
Tue Oct 30 14:21:40 UTC 2012
PF_RING requires it's own version of libpcap, so although there is
technically a libpfring and a libpcap, the libpcap is really part of
PF_RING and you can't separate the two. When I build a box, I always
remove the system-installed version of libpcap, like apt-get remove
libpcap so that I know whatever libpcap is being used by the system is
the PF_RING version. That said, there's no reason that you can't have
both on the system, it just creates more opportunities for compile
errors like this.
To find missing links without having to run the whole "make," you can just run:
ldd /opt/pf_ring/lib/libpfring.so
You should see the same error regarding an undefined reference. My
hunch is that when you compiled libpfring, it used the stock system
libpcap instead of the bundled PF_RING libpcap, but that's just a
guess. I would try recompiling libpfring.so.
On Tue, Oct 30, 2012 at 2:29 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> On Mon, Oct 29, 2012 at 9:09 PM, Peter Manev <petermanev at gmail.com> wrote:
>> Hi Carlo,
>>
>> I just followed the guide here for the pfring installation:
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1204
>>
>> and i was able to build Suricata with pfring without any trouble on CenOS.
>> -
>>
>> [user at localhost oisf]$ LD_LIBRARY_PATH=/usr/local/pfring/lib suricata
>> --build-info
>> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:540) <Info> (SCPrintBuildInfo)
>> -- This is Suricata version 1.4dev (rev bca1b7c)
>> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:613) <Info> (SCPrintBuildInfo)
>> -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET
>> HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
>> HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
>> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:627) <Info> (SCPrintBuildInfo)
>> -- 64-bits, Little-endian architecture
>> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:629) <Info> (SCPrintBuildInfo)
>> -- GCC version 4.4.6 20120305 (Red Hat 4.4.6-4), C version 199901
>> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:635) <Info> (SCPrintBuildInfo)
>> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
>> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:638) <Info> (SCPrintBuildInfo)
>> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
>> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:641) <Info> (SCPrintBuildInfo)
>> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
>> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:644) <Info> (SCPrintBuildInfo)
>> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
>> [28175] 29/10/2012 -- 18:59:54 - (suricata.c:647) <Info> (SCPrintBuildInfo)
>> -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
>>
>> [user at localhost oisf]$ cat /proc/net/pf_ring/info
>> PF_RING Version : 5.4.6 ($Revision: exported$)
>> Ring slots : 4096
>> Slot version : 14
>> Capture TX : Yes [RX+TX]
>> IP Defragment : No
>> Socket Mode : Standard
>> Transparent mode : Yes (mode 0)
>> Total rings : 0
>> Total plugins : 0
>> [user at localhost oisf]$
>>
>> [user at localhost oisf]$ uname -a
>> Linux localhost.localdomain 2.6.32-279.5.2.el6.x86_64 #1 SMP Fri Aug 24
>> 01:07:11 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>> [user at localhost oisf]$
>>
>> [user at localhost oisf]$ cat /etc/redhat-release
>> CentOS release 6.3 (Final)
>>
>>
>> My configure/compile line was:
>>
>> sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git
>> cd oisf/
>> sudo ./autogen.sh
>> ./configure --enable-pfring
>> --with-libpfring-includes=/usr/local/pfring/include
>> --with-libpfring-libraries=/usr/local/pfring/lib
>> --with-libpcap-includes=/usr/local/pfring/include
>> --with-libpcap-libraries=/usr/local/pfring/lib
>> make clean
>> make
>> sudo make install
>> sudo ldconfig
>>
>> or if you like an all-in-one line, just execute:
>>
>
> Ok, I have do it more tests.
>
> a) Compile suricata without pf_ring options:
>
> export LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/lib:/lib64:/opt/pf_ring/lib:/opt/libpcap/lib
> ./configure --prefix=/opt/suricata --enable-af-packet
> --enable-profiling --with-libpcap-includes=/opt/libpcap/include
> --with-libpcap-libraries=/opt/libpcap/lib
>
> Result is: works. Then, libpcap is not the problem
>
> b) Compile suricata with pf_ring options and modified pf_ring libpcap
> installed in the same path where pf_ring is located.
>
> export LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/lib:/lib64:/opt/pf_ring/lib
> ./configure --prefix=/opt/suricata --enable-pfring
> --enable-af-packet --enable-profiling
> --with-libpfring-includes=/opt/pf_ring/include
> --with-libpfring-libraries=/opt/pf_ring/lib
> --with-libpcap-includes=/opt/pf_ring/include
> --with-libpcap-libraries=/opt/pf_ring/lib
>
> Result is: fails. With the following errors:
>
> checking for pfring_open in -lpfring... yes
> checking for pfring_enable_ring in -lpfring... yes
> checking for pfring_set_cluster in -lpfring... yes
> checking for pfring_set_bpf_filter in -lpfring... yes
> checking for pfring_remove_bpf_filter in -lpfring... yes
> checking if pfring_recv expects u_char**... yes
> checking for post 5.4.0 pfring_open function... yes
> checking pcap.h usability... yes
> checking pcap.h presence... yes
> checking for pcap.h... yes
> checking for pcap_open_live in -lpcap... yes
> checking for pcap_activate in -lpcap... yes
> checking for pcap_set_buffer_size in -lpcap... yes
> checking whether TPACKET_V2 is declared... yes
> checking whether PACKET_FANOUT is declared... no
> checking for pkg-config... /usr/bin/pkg-config
> checking pkg-config is at least version 0.9.0... yes
> checking cap-ng.h usability... yes
> checking cap-ng.h presence... yes
> checking for cap-ng.h... yes
> checking for capng_clear in -lcap-ng... no
>
> WARNING! libcap-ng library not found, go get it
> from http://people.redhat.com/sgrubb/libcap-ng/
> or your distribution:
>
> Ubuntu: apt-get install libcap-ng-dev
> Fedora: yum install libcap-ng-devel
>
> Suricata will be built without support for dropping privs.
>
> checking nspr.h usability... no
> checking nspr.h presence... no
> checking for nspr.h... no
> checking sechash.h usability... no
> checking sechash.h presence... no
> checking for sechash.h... no
> checking magic.h usability... yes
> checking magic.h presence... yes
> checking for magic.h... yes
> checking for magic_open in -lmagic... no
>
> ERROR! magic library not found, go get it
> from http://www.darwinsys.com/file/ or your distribution:
>
> Ubuntu: apt-get install libmagic-dev
> Fedora: yum install file-devel
>
> As you can see, pfring libs and libpcap libs are detected ... But
> under config.log appears this error:
>
> configure:21372: gcc -o conftest -g -O2 -Wextra -Wall
> -fno-strict-aliasing -fno-tree-pre -Wno-unused-parameter -std=gnu99
> -march=native -DHAVE_LIBNET11 -D_BSD_SOURCE -D__BSD_SOURCE
> -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DHAVE_LIBNET_ICMPV6_UNREACH
> -DHAVE_PFRING -I/opt/libpcap/include -DLIBPCAP_VERSION_MAJOR=1
> -DHAVE_PCAP_SET_BUFF -I/opt/pf_ring/include -I/opt/libpcap/include
> -L/opt/pf_ring/lib -L/opt/pf_ring/lib conftest.c -lmagic -lpcap
> -lpfring -lpfring -lpfring -lpfring -lpfring -lnet -lpthread -lyaml
> -lpcre >&5
> /opt/pf_ring/lib/libpfring.so: undefined reference to `pcap_compile_nopcap'
> collect2: ld returned 1 exit status
> configure:21379: $? = 1
> configure: failed program was:
>
> Which is correct, because libpcap is installed under /opt/libpcap and
> not under /opt/pf_ring (I have created some soflinks for libpcap
> includes and libs under pf_ring).
>
> This means, at least to me, that libpcap includes and libraries must
> be installed in the same path as those of pf_ring. And, IMHO, this is
> a bug. Because bro, snort and snort-razorback compile and works ok
> using different paths for pf_ring and libpcap includes and libs ...
>
> Or am I totally wrong??
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list