[Oisf-users] Zero packets captured with suricata 2.0.4+PFRING 6.0.2
C. L. Martinez
carlopmart at gmail.com
Mon Oct 13 06:58:50 UTC 2014
Thanks for your answer Giuseppe, but one question: why to 65534?? This
is a 1GiB net. MTU for net device is configured to 1514 ....
On Mon, Oct 13, 2014 at 6:53 AM, Giuseppe Longo <giuseppelng at gmail.com> wrote:
> Hi,
> Could you share your default-packet-size?
> If it is set to 1552, please try to increase it:
>
> default-packet-size: 65534
>
> 2014-10-13 8:50 GMT+02:00 C. L. Martinez <carlopmart at gmail.com>:
>> On Fri, Oct 10, 2014 at 1:44 PM, Peter Manev <petermanev at gmail.com> wrote:
>>>
>>> Hi,
>>> Could you please share the output of :
>>>
>>> 1)
>>> modinfo pf_ring && cat /proc/net/pf_ring/info
>>>
>>> 2)
>>> pfring section in your suricata.yaml
>>>
>>> 3)
>>> suricata --build-info
>>> ?
>>>
>>
>> Sorry for the delay.
>>
>> Here, the answers:
>>
>> a)
>> modinfo pf_ring:
>>
>> filename:
>> /lib/modules/2.6.32-431.29.2.el6.x86_64/kernel/net/pf_ring/pf_ring.ko
>> alias: net-pf-27
>> description: Packet capture acceleration and analysis
>> author: Luca Deri <deri at ntop.org>
>> license: GPL
>> srcversion: CE1D96764C8F88915343823
>> depends:
>> vermagic: 2.6.32-431.29.2.el6.x86_64 SMP mod_unload modversions
>> parm: min_num_slots:Min number of ring slots (uint)
>> parm: perfect_rules_hash_size:Perfect rules hash size (uint)
>> parm: transparent_mode:0=standard Linux,
>> 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and
>> 2 you need to use a PF_RING aware driver (uint)
>> parm: enable_debug:Set to 1 to enable PF_RING debug tracing
>> into the syslog (uint)
>> parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)
>> parm: enable_frag_coherence:Set to 1 to handle fragments
>> (flow coherence) in clusters (uint)
>> parm: enable_ip_defrag:Set to 1 to enable IP
>> defragmentation(only rx traffic is defragmentead) (uint)
>> parm: quick_mode:Set to 1 to run at full speed but with upto
>> one socket per interface (uint)
>>
>> cat /proc/net/pf_rig/info
>> PF_RING Version : 6.0.2 ($Revision: $)
>> Total rings : 1
>>
>> Standard (non DNA) Options
>> Ring slots : 65534
>> Slot version : 16
>> Capture TX : No [RX only]
>> IP Defragment : No
>> Socket Mode : Standard
>> Transparent mode : Yes [mode 2]
>> Total plugins : 0
>> Cluster Fragment Queue : 0
>> Cluster Fragment Discard : 0
>>
>>
>> 2)
>>
>> pfring:
>> - interface: eth3
>> # Number of receive threads (>1 will enable experimental flow pinned
>> # runmode)
>> threads: 2
>>
>> # Default clusterid. PF_RING will load balance packets based on flow.
>> # All threads/processes that will participate need to have the same
>> # clusterid.
>> cluster-id: 99
>>
>> # Default PF_RING cluster type. PF_RING can load balance per flow
>> or per hash.
>> # This is only supported in versions of PF_RING > 4.1.1.
>> cluster-type: cluster_round_robin
>> # Choose checksum verification mode for the interface. At the moment
>> # of the capture, some packets may be with an invalid checksum due to
>> # offloading to the network card of the checksum computation.
>> # Possible values are:
>> # - rxonly: only compute checksum for packets received by network card.
>> # - yes: checksum validation is forced
>> # - no: checksum validation is disabled
>> # - auto: suricata uses a statistical approach to detect when
>> # checksum off-loading is used. (default)
>> # Warning: 'checksum-validation' must be set to yes to have any validation
>> #checksum-checks: auto
>>
>> 3)
>>
>> suricata --build-info
>> This is Suricata version 2.0.4 RELEASE
>> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET
>> HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
>> HAVE_NSS HAVE_LIBJANSSON PROFILING
>> SIMD support: none
>> Atomic intrisics: 1 2 4 8 byte(s)
>> 64-bits, Little-endian architecture
>> GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
>> L1 cache line size (CLS)=64
>> compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15
>> Suricata Configuration:
>> AF_PACKET support: yes
>> PF_RING support: yes
>> NFQueue support: no
>> NFLOG support: no
>> IPFW support: no
>> DAG enabled: no
>> Napatech enabled: no
>> Unix socket enabled: yes
>> Detection enabled: yes
>>
>> libnss support: yes
>> libnspr support: yes
>> libjansson support: yes
>> Prelude support: no
>> PCRE jit: no
>> LUA support: no
>> libluajit: no
>> libgeoip: yes
>> Non-bundled htp: no
>> Old barnyard2 support: no
>> CUDA enabled: no
>>
>> Suricatasc install: yes
>>
>> Unit tests enabled: no
>> Debug output enabled: no
>> Debug validation enabled: no
>> Profiling enabled: yes
>> Profiling locks enabled: no
>> Coccinelle / spatch: no
>>
>> Generic build parameters:
>> Installation prefix (--prefix): /opt/suricata
>> Configuration directory (--sysconfdir): /opt/suricata/etc/suricata/
>> Log directory (--localstatedir) : /opt/suricata/var/log/suricata/
>>
>> Host: x86_64-unknown-linux-gnu
>> GCC binary: gcc
>> GCC Protect enabled: no
>> GCC march native enabled: no
>> GCC Profile enabled: no
>>
>>
>> In this vm, I have a moloch instance to do some tests also. Moloch
>> listens in eth2. I have changed transparent_mode to 1 in pf_ring
>> module and I setup suricata to listen in the same interface. Result:
>> all works.
>>
>>
>> So, when I configure pf_ring module to use transparent_mode to 2 and I
>> use a different interface for suricata (in my case, eth3), it doesn't
>> works. But If I setup pf_ring module to use transparent_mode to 1 and
>> suricata listens in the same net device as a Moloch instance, all
>> works.
>>
>> Any ideas why??
>>
>>
>> I use e1000 driver provided by pf_ring package in both tests ....
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list