[Oisf-users] Fwd: Zero packets captured with suricata 2.0.4+PFRING 6.0.2
Giuseppe Longo
giuseppelng at gmail.com
Mon Oct 13 06:56:59 UTC 2014
Cc'ed the list
---------- Forwarded message ----------
From: Giuseppe Longo <giuseppelng at gmail.com>
Date: 2014-10-13 8:53 GMT+02:00
Subject: Re: [Oisf-users] Zero packets captured with suricata 2.0.4+PFRING 6.0.2
To: "C. L. Martinez" <carlopmart at gmail.com>
Hi,
Could you share your default-packet-size?
If it is set to 1552, please try to increase it:
default-packet-size: 65534
2014-10-13 8:50 GMT+02:00 C. L. Martinez <carlopmart at gmail.com>:
> On Fri, Oct 10, 2014 at 1:44 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> Hi,
>> Could you please share the output of :
>>
>> 1)
>> modinfo pf_ring && cat /proc/net/pf_ring/info
>>
>> 2)
>> pfring section in your suricata.yaml
>>
>> 3)
>> suricata --build-info
>> ?
>>
>
> Sorry for the delay.
>
> Here, the answers:
>
> a)
> modinfo pf_ring:
>
> filename:
> /lib/modules/2.6.32-431.29.2.el6.x86_64/kernel/net/pf_ring/pf_ring.ko
> alias: net-pf-27
> description: Packet capture acceleration and analysis
> author: Luca Deri <deri at ntop.org>
> license: GPL
> srcversion: CE1D96764C8F88915343823
> depends:
> vermagic: 2.6.32-431.29.2.el6.x86_64 SMP mod_unload modversions
> parm: min_num_slots:Min number of ring slots (uint)
> parm: perfect_rules_hash_size:Perfect rules hash size (uint)
> parm: transparent_mode:0=standard Linux,
> 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and
> 2 you need to use a PF_RING aware driver (uint)
> parm: enable_debug:Set to 1 to enable PF_RING debug tracing
> into the syslog (uint)
> parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)
> parm: enable_frag_coherence:Set to 1 to handle fragments
> (flow coherence) in clusters (uint)
> parm: enable_ip_defrag:Set to 1 to enable IP
> defragmentation(only rx traffic is defragmentead) (uint)
> parm: quick_mode:Set to 1 to run at full speed but with upto
> one socket per interface (uint)
>
> cat /proc/net/pf_rig/info
> PF_RING Version : 6.0.2 ($Revision: $)
> Total rings : 1
>
> Standard (non DNA) Options
> Ring slots : 65534
> Slot version : 16
> Capture TX : No [RX only]
> IP Defragment : No
> Socket Mode : Standard
> Transparent mode : Yes [mode 2]
> Total plugins : 0
> Cluster Fragment Queue : 0
> Cluster Fragment Discard : 0
>
>
> 2)
>
> pfring:
> - interface: eth3
> # Number of receive threads (>1 will enable experimental flow pinned
> # runmode)
> threads: 2
>
> # Default clusterid. PF_RING will load balance packets based on flow.
> # All threads/processes that will participate need to have the same
> # clusterid.
> cluster-id: 99
>
> # Default PF_RING cluster type. PF_RING can load balance per flow
> or per hash.
> # This is only supported in versions of PF_RING > 4.1.1.
> cluster-type: cluster_round_robin
> # Choose checksum verification mode for the interface. At the moment
> # of the capture, some packets may be with an invalid checksum due to
> # offloading to the network card of the checksum computation.
> # Possible values are:
> # - rxonly: only compute checksum for packets received by network card.
> # - yes: checksum validation is forced
> # - no: checksum validation is disabled
> # - auto: suricata uses a statistical approach to detect when
> # checksum off-loading is used. (default)
> # Warning: 'checksum-validation' must be set to yes to have any validation
> #checksum-checks: auto
>
> 3)
>
> suricata --build-info
> This is Suricata version 2.0.4 RELEASE
> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET
> HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
> HAVE_NSS HAVE_LIBJANSSON PROFILING
> SIMD support: none
> Atomic intrisics: 1 2 4 8 byte(s)
> 64-bits, Little-endian architecture
> GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
> L1 cache line size (CLS)=64
> compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15
> Suricata Configuration:
> AF_PACKET support: yes
> PF_RING support: yes
> NFQueue support: no
> NFLOG support: no
> IPFW support: no
> DAG enabled: no
> Napatech enabled: no
> Unix socket enabled: yes
> Detection enabled: yes
>
> libnss support: yes
> libnspr support: yes
> libjansson support: yes
> Prelude support: no
> PCRE jit: no
> LUA support: no
> libluajit: no
> libgeoip: yes
> Non-bundled htp: no
> Old barnyard2 support: no
> CUDA enabled: no
>
> Suricatasc install: yes
>
> Unit tests enabled: no
> Debug output enabled: no
> Debug validation enabled: no
> Profiling enabled: yes
> Profiling locks enabled: no
> Coccinelle / spatch: no
>
> Generic build parameters:
> Installation prefix (--prefix): /opt/suricata
> Configuration directory (--sysconfdir): /opt/suricata/etc/suricata/
> Log directory (--localstatedir) : /opt/suricata/var/log/suricata/
>
> Host: x86_64-unknown-linux-gnu
> GCC binary: gcc
> GCC Protect enabled: no
> GCC march native enabled: no
> GCC Profile enabled: no
>
>
> In this vm, I have a moloch instance to do some tests also. Moloch
> listens in eth2. I have changed transparent_mode to 1 in pf_ring
> module and I setup suricata to listen in the same interface. Result:
> all works.
>
>
> So, when I configure pf_ring module to use transparent_mode to 2 and I
> use a different interface for suricata (in my case, eth3), it doesn't
> works. But If I setup pf_ring module to use transparent_mode to 1 and
> suricata listens in the same net device as a Moloch instance, all
> works.
>
> Any ideas why??
>
>
> I use e1000 driver provided by pf_ring package in both tests ....
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list