[Oisf-users] Suricata 2.1beta3 an pf_ring 6.0.2

Fri Feb 13 10:40:48 UTC 2015

With the help from Regit @ #suricata I could sort this out. Turns out:

1. Per Regit, Suricata does not need to be build against the pf_ring
provided libpcap.
It only uses pcap to install the BPF filter, so all the options
"with-libpcap" are not really necessary.

2. It is important to install the "kernel" part of pf_ring, so cd
your_pfring_dir && ./configure --prefix=/opt/pfring and sudo make
install before building suri.
This process copies pf_ring into linux headers, that is later included
by pf_ring.h

Thanks a lot  and hope this experience will be useful to someone in
the future:-)

On Fri, Feb 13, 2015 at 2:21 AM, Michał Purzyński
<michalpurzynski1 at gmail.com> wrote:
> Hey, I'm trying to build Suricata 2.1beta3 against pf_ring 6.0.2
> libpcap and the configure process fails
>
> LIBS="-lrt -lnuma" ./configure --enable-gccmarch-native
> --enable-luajit --enable-pfring
> --with-libpfring-libraries=/opt/pfring/lib
> --with-libpfring-includes=/opt/pfring/include
> --with-libpcap-includes=/opt/pfring/include
> --with-libpcap-libraries=/opt/pfring/lib
> --with-libnss-libraries=/usr/lib
> --with-libnss-includes=/usr/include/nss/
> --with-libnspr-libraries=/usr/lib
> --with-libnspr-includes=/usr/include/nspr --enable-gccprotect
>
> Everything is there - I have just built another application against
> this libpcap and it works.
>
> nsmbuild1 :: ~/tmp/suricata-2.1beta3 » ls -lh /opt/pfring/include
>
>                                 1 ↵
> total 116K
> drwxr-xr-x 2 root root 4.0K Feb 12 17:12 pcap
> -rw-r--r-- 1 root root 2.4K Feb 12 11:56 pcap-bpf.h
> -rw-r--r-- 1 root root 2.3K Feb 12 11:56 pcap.h
> -rw-r--r-- 1 root root 2.1K Feb 12 11:56 pcap-namedb.h
> -rw-r--r-- 1 root root  57K Feb 12 11:59 pfring.h
> -rw-r--r-- 1 root root  13K Feb 12 11:59 pfring_mod_sysdig.h
> -rw-r--r-- 1 root root  21K Feb 12 11:59 pfring_zc.h
>
> nsmbuild1 :: ~/tmp/suricata-2.1beta3 » ls -lh /opt/pfring/lib
> total 1.9M
> -rw-r--r-- 1 root root 403K Feb 12 11:56 libpcap.a
> lrwxrwxrwx 1 root root   12 Feb 12 12:24 libpcap.so -> libpcap.so.1
> lrwxrwxrwx 1 root root   16 Feb 12 12:24 libpcap.so.1 -> libpcap.so.1.1.1
> -rwxr-xr-x 1 root root 596K Feb 12 11:56 libpcap.so.1.1.1
> -rw-r--r-- 1 root root 526K Feb 12 11:59 libpfring.a
> -rwxr-xr-x 1 root root 399K Feb 12 11:59 libpfring.so
>
>
> The error looks like this
>
>
> checking pcap.h usability... yes
> checking pcap.h presence... yes
> checking for pcap.h... yes
> checking for pcap.h... (cached) yes
> checking pcap/pcap.h usability... yes
> checking pcap/pcap.h presence... yes
> checking for pcap/pcap.h... yes
> checking pcap/bpf.h usability... yes
> checking pcap/bpf.h presence... yes
> checking for pcap/bpf.h... yes
> checking for pcap_open_live in -lpcap... yes
> checking for pcap_activate in -lpcap... yes
> checking for pcap-config... /usr/bin/pcap-config
> checking for pcap_set_buffer_size in -lpcap... yes
> checking for pfring_open in -lpfring... yes
>
>
>    ERROR! --enable-pfring was passed but the library version is < 6, go get it
>    from http://www.ntop.org/products/pf_ring/
>
>
> config.log has some clues, unfortunately not for me, but maybe you know?
>
> In file included from conftest.c:95:0:
> /opt/pfring/include/pfring.h:207:5: error: unknown type name 'dna_device'
> /opt/pfring/include/pfring.h:208:5: error: unknown type name 'dna_indexes'
> /opt/pfring/include/pfring.h:211:5: error: unknown type name
> 'dna_device_operation'
>
> |                     #include <pfring.h>
> | int
> | main ()
> | {
> |                     pfring_recv_chunk(NULL, NULL, 0, 0);
> |   ;
> |   return 0;
> | }
>
> This little program fails