[Oisf-users] Suricata with PF_RING and IXGBE
Victor Julien
lists at inliniac.net
Mon Mar 7 14:12:00 UTC 2016
On 29-02-16 18:54, Yasha Zislin wrote:
> I've reached out to PF_RING folks and they tried to provide a patch but
> it was declined by Suricata.
Actually, they disappeared after we suggested some improvements. Not
quite the same as rejecting.
Anyway, I talked to Alfredo and will merge his 'break loop' work soon.
That will address the shutdown issue.
Cheers,
Victor
>
> https://github.com/inliniac/suricata/pull/1696
> https://github.com/inliniac/suricata/commit/4c7d0ae0fb8a00a2b17803dc981cdf0cc841f381
>
> This patch supposed to fix the issue with no traffic on the thread.
>
>> To: oisf-users at lists.openinfosecfoundation.org
>> From: lists at inliniac.net
>> Date: Mon, 29 Feb 2016 17:24:43 +0100
>> Subject: Re: [Oisf-users] Suricata with PF_RING and IXGBE
>>
>> On 29-02-16 15:52, Yasha Zislin wrote:
>> > I have a weird problem. I have a bunch of sensors running in CentOS 6
>> > with latest pf_ring and Suricata 2.1beta4.
>> > Most of the sensors have HP fiber nics (10 gigs) for monitoring
>> > interfaces but two of them have Intel 82599 (ixgbe).
>> > One of these Intel sensors is active and the other is standby. Standby
>> > barely has any traffic on monitored interface (about 400 packets a
>> > minute which are all broadcast).
>> > When I start suricata service on the standby, it is impossible to reload
>> > rules or to stop it. On stop it eventually dies off with this message:
>> > <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect
>> > thread - "RxPFReth21". Killing engine
>> >
>> > I've flipped the active and standby to check if the server/hardware is
>> > the problem. The issue moved to the other server when it became standby.
>> >
>> > I've installed the latest Intel Driver. I've set everything on it as per
>> > article:
>> >
> http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html
>> >
>> > I've tried killing irqbalance and setting affinity. No luck.
>> > I did however noticed that if i reduce number of threads to 1,
>> > everything is working. But when it is more than one, the issue starts.
>> >
>> > Did anybody else have this issue with Intel cards and PF_RING???
>>
>> This looks a lot like this issue here:
>> https://redmine.openinfosecfoundation.org/issues/1716
>>
>> The problem could be that some threads never get traffic.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list