[Oisf-users] Zero packets captured with suricata 2.0.4+PFRING 6.0.2

Mon Oct 13 06:50:48 UTC 2014

On Fri, Oct 10, 2014 at 1:44 PM, Peter Manev <petermanev at gmail.com> wrote:
>
> Hi,
> Could you please share the output of :
>
> 1)
> modinfo pf_ring && cat /proc/net/pf_ring/info
>
> 2)
> pfring section in your suricata.yaml
>
> 3)
> suricata --build-info
> ?
>

Sorry for the delay.

Here, the answers:

a)
modinfo pf_ring:

filename:
/lib/modules/2.6.32-431.29.2.el6.x86_64/kernel/net/pf_ring/pf_ring.ko
alias:          net-pf-27
description:    Packet capture acceleration and analysis
author:         Luca Deri <deri at ntop.org>
license:        GPL
srcversion:     CE1D96764C8F88915343823
depends:
vermagic:       2.6.32-431.29.2.el6.x86_64 SMP mod_unload modversions
parm:           min_num_slots:Min number of ring slots (uint)
parm:           perfect_rules_hash_size:Perfect rules hash size (uint)
parm:           transparent_mode:0=standard Linux,
1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and
2 you need to use a PF_RING aware driver (uint)
parm:           enable_debug:Set to 1 to enable PF_RING debug tracing
into the syslog (uint)
parm:           enable_tx_capture:Set to 1 to capture outgoing packets (uint)
parm:           enable_frag_coherence:Set to 1 to handle fragments
(flow coherence) in clusters (uint)
parm:           enable_ip_defrag:Set to 1 to enable IP
defragmentation(only rx traffic is defragmentead) (uint)
parm:           quick_mode:Set to 1 to run at full speed but with upto
one socket per interface (uint)

cat /proc/net/pf_rig/info
PF_RING Version          : 6.0.2 ($Revision: $)
Total rings              : 1

Standard (non DNA) Options
Ring slots               : 65534
Slot version             : 16
Capture TX               : No [RX only]
IP Defragment            : No
Socket Mode              : Standard
Transparent mode         : Yes [mode 2]
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

2)

pfring:
  - interface: eth3
    # Number of receive threads (>1 will enable experimental flow pinned
    # runmode)
    threads: 2

    # Default clusterid.  PF_RING will load balance packets based on flow.
    # All threads/processes that will participate need to have the same
    # clusterid.
    cluster-id: 99

    # Default PF_RING cluster type. PF_RING can load balance per flow
or per hash.
    # This is only supported in versions of PF_RING > 4.1.1.
    cluster-type: cluster_round_robin
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - rxonly: only compute checksum for packets received by network card.
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used. (default)
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: auto

3)

 suricata --build-info
This is Suricata version 2.0.4 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET
HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
HAVE_NSS HAVE_LIBJANSSON PROFILING
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         yes
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                no
  LUA support:                             no
  libluajit:                               no
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       yes
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix (--prefix):          /opt/suricata
  Configuration directory (--sysconfdir):  /opt/suricata/etc/suricata/
  Log directory (--localstatedir) :        /opt/suricata/var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                no
  GCC Profile enabled:                     no

In this vm, I have a moloch instance to do some tests also. Moloch
listens in eth2. I have changed transparent_mode to 1 in pf_ring
module and I setup suricata to listen in the same interface. Result:
all works.

So, when I configure pf_ring module to use transparent_mode to 2 and I
use a different interface for suricata (in my case, eth3), it doesn't
works. But If I setup pf_ring module to use transparent_mode to 1 and
suricata listens in the same net device as a Moloch instance, all
works.

Any ideas why??

I use e1000 driver provided by pf_ring package in both tests ....