[Oisf-users] Zero packets captured with suricata 2.0.4+PFRING 6.0.2
Giuseppe Longo
giuseppelng at gmail.com
Mon Oct 13 07:09:04 UTC 2014
Doing some test we have noticed that with this value Suricata/PF_RING
is able to capture packets. Personally I want to go more in depth and figure out
which is the problem.
Please try it and report if it works, if so, you can obviously tune it.
Thanks
2014-10-13 8:58 GMT+02:00 C. L. Martinez <carlopmart at gmail.com>:
> Thanks for your answer Giuseppe, but one question: why to 65534?? This
> is a 1GiB net. MTU for net device is configured to 1514 ....
>
>
> On Mon, Oct 13, 2014 at 6:53 AM, Giuseppe Longo <giuseppelng at gmail.com> wrote:
>> Hi,
>> Could you share your default-packet-size?
>> If it is set to 1552, please try to increase it:
>>
>> default-packet-size: 65534
>>
>> 2014-10-13 8:50 GMT+02:00 C. L. Martinez <carlopmart at gmail.com>:
>>> On Fri, Oct 10, 2014 at 1:44 PM, Peter Manev <petermanev at gmail.com> wrote:
>>>>
>>>> Hi,
>>>> Could you please share the output of :
>>>>
>>>> 1)
>>>> modinfo pf_ring && cat /proc/net/pf_ring/info
>>>>
>>>> 2)
>>>> pfring section in your suricata.yaml
>>>>
>>>> 3)
>>>> suricata --build-info
>>>> ?
>>>>
>>>
>>> Sorry for the delay.
>>>
>>> Here, the answers:
>>>
>>> a)
>>> modinfo pf_ring:
>>>
>>> filename:
>>> /lib/modules/2.6.32-431.29.2.el6.x86_64/kernel/net/pf_ring/pf_ring.ko
>>> alias: net-pf-27
>>> description: Packet capture acceleration and analysis
>>> author: Luca Deri <deri at ntop.org>
>>> license: GPL
>>> srcversion: CE1D96764C8F88915343823
>>> depends:
>>> vermagic: 2.6.32-431.29.2.el6.x86_64 SMP mod_unload modversions
>>> parm: min_num_slots:Min number of ring slots (uint)
>>> parm: perfect_rules_hash_size:Perfect rules hash size (uint)
>>> parm: transparent_mode:0=standard Linux,
>>> 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and
>>> 2 you need to use a PF_RING aware driver (uint)
>>> parm: enable_debug:Set to 1 to enable PF_RING debug tracing
>>> into the syslog (uint)
>>> parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)
>>> parm: enable_frag_coherence:Set to 1 to handle fragments
>>> (flow coherence) in clusters (uint)
>>> parm: enable_ip_defrag:Set to 1 to enable IP
>>> defragmentation(only rx traffic is defragmentead) (uint)
>>> parm: quick_mode:Set to 1 to run at full speed but with upto
>>> one socket per interface (uint)
>>>
>>> cat /proc/net/pf_rig/info
>>> PF_RING Version : 6.0.2 ($Revision: $)
>>> Total rings : 1
>>>
>>> Standard (non DNA) Options
>>> Ring slots : 65534
>>> Slot version : 16
>>> Capture TX : No [RX only]
>>> IP Defragment : No
>>> Socket Mode : Standard
>>> Transparent mode : Yes [mode 2]
>>> Total plugins : 0
>>> Cluster Fragment Queue : 0
>>> Cluster Fragment Discard : 0
>>>
>>>
>>> 2)
>>>
>>> pfring:
>>> - interface: eth3
>>> # Number of receive threads (>1 will enable experimental flow pinned
>>> # runmode)
>>> threads: 2
>>>
>>> # Default clusterid. PF_RING will load balance packets based on flow.
>>> # All threads/processes that will participate need to have the same
>>> # clusterid.
>>> cluster-id: 99
>>>
>>> # Default PF_RING cluster type. PF_RING can load balance per flow
>>> or per hash.
>>> # This is only supported in versions of PF_RING > 4.1.1.
>>> cluster-type: cluster_round_robin
>>> # Choose checksum verification mode for the interface. At the moment
>>> # of the capture, some packets may be with an invalid checksum due to
>>> # offloading to the network card of the checksum computation.
>>> # Possible values are:
>>> # - rxonly: only compute checksum for packets received by network card.
>>> # - yes: checksum validation is forced
>>> # - no: checksum validation is disabled
>>> # - auto: suricata uses a statistical approach to detect when
>>> # checksum off-loading is used. (default)
>>> # Warning: 'checksum-validation' must be set to yes to have any validation
>>> #checksum-checks: auto
>>>
>>> 3)
>>>
>>> suricata --build-info
>>> This is Suricata version 2.0.4 RELEASE
>>> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET
>>> HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
>>> HAVE_NSS HAVE_LIBJANSSON PROFILING
>>> SIMD support: none
>>> Atomic intrisics: 1 2 4 8 byte(s)
>>> 64-bits, Little-endian architecture
>>> GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
>>> L1 cache line size (CLS)=64
>>> compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15
>>> Suricata Configuration:
>>> AF_PACKET support: yes
>>> PF_RING support: yes
>>> NFQueue support: no
>>> NFLOG support: no
>>> IPFW support: no
>>> DAG enabled: no
>>> Napatech enabled: no
>>> Unix socket enabled: yes
>>> Detection enabled: yes
>>>
>>> libnss support: yes
>>> libnspr support: yes
>>> libjansson support: yes
>>> Prelude support: no
>>> PCRE jit: no
>>> LUA support: no
>>> libluajit: no
>>> libgeoip: yes
>>> Non-bundled htp: no
>>> Old barnyard2 support: no
>>> CUDA enabled: no
>>>
>>> Suricatasc install: yes
>>>
>>> Unit tests enabled: no
>>> Debug output enabled: no
>>> Debug validation enabled: no
>>> Profiling enabled: yes
>>> Profiling locks enabled: no
>>> Coccinelle / spatch: no
>>>
>>> Generic build parameters:
>>> Installation prefix (--prefix): /opt/suricata
>>> Configuration directory (--sysconfdir): /opt/suricata/etc/suricata/
>>> Log directory (--localstatedir) : /opt/suricata/var/log/suricata/
>>>
>>> Host: x86_64-unknown-linux-gnu
>>> GCC binary: gcc
>>> GCC Protect enabled: no
>>> GCC march native enabled: no
>>> GCC Profile enabled: no
>>>
>>>
>>> In this vm, I have a moloch instance to do some tests also. Moloch
>>> listens in eth2. I have changed transparent_mode to 1 in pf_ring
>>> module and I setup suricata to listen in the same interface. Result:
>>> all works.
>>>
>>>
>>> So, when I configure pf_ring module to use transparent_mode to 2 and I
>>> use a different interface for suricata (in my case, eth3), it doesn't
>>> works. But If I setup pf_ring module to use transparent_mode to 1 and
>>> suricata listens in the same net device as a Moloch instance, all
>>> works.
>>>
>>> Any ideas why??
>>>
>>>
>>> I use e1000 driver provided by pf_ring package in both tests ....
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Training now available: http://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list