[Oisf-users] Fwd: Zero packets captured with suricata 2.0.4+PFRING 6.0.2

Giuseppe Longo giuseppelng at gmail.com
Mon Oct 13 06:56:59 UTC 2014


Cc'ed the list


---------- Forwarded message ----------
From: Giuseppe Longo <giuseppelng at gmail.com>
Date: 2014-10-13 8:53 GMT+02:00
Subject: Re: [Oisf-users] Zero packets captured with suricata 2.0.4+PFRING 6.0.2
To: "C. L. Martinez" <carlopmart at gmail.com>


Hi,
Could you share your default-packet-size?
If it is set to 1552, please try to increase it:

default-packet-size: 65534

2014-10-13 8:50 GMT+02:00 C. L. Martinez <carlopmart at gmail.com>:
> On Fri, Oct 10, 2014 at 1:44 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> Hi,
>> Could you please share the output of :
>>
>> 1)
>> modinfo pf_ring && cat /proc/net/pf_ring/info
>>
>> 2)
>> pfring section in your suricata.yaml
>>
>> 3)
>> suricata --build-info
>> ?
>>
>
> Sorry for the delay.
>
> Here, the answers:
>
> a)
> modinfo pf_ring:
>
> filename:
> /lib/modules/2.6.32-431.29.2.el6.x86_64/kernel/net/pf_ring/pf_ring.ko
> alias:          net-pf-27
> description:    Packet capture acceleration and analysis
> author:         Luca Deri <deri at ntop.org>
> license:        GPL
> srcversion:     CE1D96764C8F88915343823
> depends:
> vermagic:       2.6.32-431.29.2.el6.x86_64 SMP mod_unload modversions
> parm:           min_num_slots:Min number of ring slots (uint)
> parm:           perfect_rules_hash_size:Perfect rules hash size (uint)
> parm:           transparent_mode:0=standard Linux,
> 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and
> 2 you need to use a PF_RING aware driver (uint)
> parm:           enable_debug:Set to 1 to enable PF_RING debug tracing
> into the syslog (uint)
> parm:           enable_tx_capture:Set to 1 to capture outgoing packets (uint)
> parm:           enable_frag_coherence:Set to 1 to handle fragments
> (flow coherence) in clusters (uint)
> parm:           enable_ip_defrag:Set to 1 to enable IP
> defragmentation(only rx traffic is defragmentead) (uint)
> parm:           quick_mode:Set to 1 to run at full speed but with upto
> one socket per interface (uint)
>
> cat /proc/net/pf_rig/info
> PF_RING Version          : 6.0.2 ($Revision: $)
> Total rings              : 1
>
> Standard (non DNA) Options
> Ring slots               : 65534
> Slot version             : 16
> Capture TX               : No [RX only]
> IP Defragment            : No
> Socket Mode              : Standard
> Transparent mode         : Yes [mode 2]
> Total plugins            : 0
> Cluster Fragment Queue   : 0
> Cluster Fragment Discard : 0
>
>
> 2)
>
> pfring:
>   - interface: eth3
>     # Number of receive threads (>1 will enable experimental flow pinned
>     # runmode)
>     threads: 2
>
>     # Default clusterid.  PF_RING will load balance packets based on flow.
>     # All threads/processes that will participate need to have the same
>     # clusterid.
>     cluster-id: 99
>
>     # Default PF_RING cluster type. PF_RING can load balance per flow
> or per hash.
>     # This is only supported in versions of PF_RING > 4.1.1.
>     cluster-type: cluster_round_robin
>     # Choose checksum verification mode for the interface. At the moment
>     # of the capture, some packets may be with an invalid checksum due to
>     # offloading to the network card of the checksum computation.
>     # Possible values are:
>     #  - rxonly: only compute checksum for packets received by network card.
>     #  - yes: checksum validation is forced
>     #  - no: checksum validation is disabled
>     #  - auto: suricata uses a statistical approach to detect when
>     #  checksum off-loading is used. (default)
>     # Warning: 'checksum-validation' must be set to yes to have any validation
>     #checksum-checks: auto
>
> 3)
>
>  suricata --build-info
> This is Suricata version 2.0.4 RELEASE
> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET
> HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
> HAVE_NSS HAVE_LIBJANSSON PROFILING
> SIMD support: none
> Atomic intrisics: 1 2 4 8 byte(s)
> 64-bits, Little-endian architecture
> GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
> L1 cache line size (CLS)=64
> compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15
> Suricata Configuration:
>   AF_PACKET support:                       yes
>   PF_RING support:                         yes
>   NFQueue support:                         no
>   NFLOG support:                           no
>   IPFW support:                            no
>   DAG enabled:                             no
>   Napatech enabled:                        no
>   Unix socket enabled:                     yes
>   Detection enabled:                       yes
>
>   libnss support:                          yes
>   libnspr support:                         yes
>   libjansson support:                      yes
>   Prelude support:                         no
>   PCRE jit:                                no
>   LUA support:                             no
>   libluajit:                               no
>   libgeoip:                                yes
>   Non-bundled htp:                         no
>   Old barnyard2 support:                   no
>   CUDA enabled:                            no
>
>   Suricatasc install:                      yes
>
>   Unit tests enabled:                      no
>   Debug output enabled:                    no
>   Debug validation enabled:                no
>   Profiling enabled:                       yes
>   Profiling locks enabled:                 no
>   Coccinelle / spatch:                     no
>
> Generic build parameters:
>   Installation prefix (--prefix):          /opt/suricata
>   Configuration directory (--sysconfdir):  /opt/suricata/etc/suricata/
>   Log directory (--localstatedir) :        /opt/suricata/var/log/suricata/
>
>   Host:                                    x86_64-unknown-linux-gnu
>   GCC binary:                              gcc
>   GCC Protect enabled:                     no
>   GCC march native enabled:                no
>   GCC Profile enabled:                     no
>
>
> In this vm, I have a moloch instance to do some tests also. Moloch
> listens in eth2. I have changed transparent_mode to 1 in pf_ring
> module and I setup suricata to listen in the same interface. Result:
> all works.
>
>
> So, when I configure pf_ring module to use transparent_mode to 2 and I
> use a different interface for suricata (in my case, eth3), it doesn't
> works. But If I setup pf_ring module to use transparent_mode to 1 and
> suricata listens in the same net device as a Moloch instance, all
> works.
>
> Any ideas why??
>
>
> I use e1000 driver provided by pf_ring package in both tests ....
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/



More information about the Oisf-users mailing list