[Oisf-users] Myricom and Suricata

Edgmand, Craig craig.edgmand at okstate.edu
Mon Aug 27 20:26:21 UTC 2018 

Hi all,

Recently I installed a Myricom 10G with the Sniffer v3 software in a server to be
used for Suricata and I am having some issues with Suricata using the sniffer
interface.

I compiled a version of tcpdump with the /opt/snf libraries and it works fine with
both interfaces p1p1 and snf0.

$ ldd tcpdump | grep snf
libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007f6f6dbd8000)
libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007f6f6d5f7000)

# SNF_NUM_RINGS=16 SNF_DEBUG_MASK=3 SNF_DATARING_SIZE=4294967296 SNF_DESCRING_SIZE=1073741824 /opt/tcpdump/tcpdump-4.1.1/tcpdump -n -i p1p1 -c 102400
15715 snf.0.-1 P (userset)              SNF_PORTNUM = 0
15715 snf.0.-1 P (default)              SNF_RING_ID = -1 (0xffffffff)
15715 snf.0.-1 P (environ)            SNF_NUM_RINGS = 16 (0x10)
15715 snf.0.-1 P (default)            SNF_RSS_FLAGS = 49 (0x31)
15715 snf.0.-1 P (environ)        SNF_DATARING_SIZE = 4294967296 (0x100000000) (4096.0 MiB)
15715 snf.0.-1 P (environ)        SNF_DESCRING_SIZE = 1073741824 (0x40000000) (1024.0 MiB)
15715 snf.0.-1 P (userset)                SNF_FLAGS = 1 (0x1)
15715 snf.0.-1 P (environ)           SNF_DEBUG_MASK = 3 (0x3)
15715 snf.0.-1 P (default)       SNF_DEBUG_FILENAME = stderr
15715 snf.0.-1 P (default)               SNF_APP_ID = -1 (0xffffffff)
15715 snf.0.-1 P SNF_DEBUG_MASK=0x3 for modes WARN=0x1, PARAM=0x2  QSTATS=0x4  TIMESYNC=0x8  IOCTL=0x10  QEVENTS=0x20  ARISTA=0x40
......
......
......
102400 packets captured
102400 packets received by filter
0 packets dropped by kernel
15726 snf.0.0  P rx_fini: tot=     4954776 [keep/skip/drop] [ 102400/4852376/      0] [  2.1%/ 97.9%/  0.0%]
#

When you look at myri_counters it clearly shows that it is user the sniffer interface.

                     SNF recv pkts:              3974744
                SNF drop ring full:                    0

However with Suricata I cannot utilize the sniffer interface.

I tried the following configure options for suricata..

# ./configure --prefix=/opt/suricata --sysconfdir=/opt/suricata/etc --localstatedir=/opt/suricata --enable-geopip -enable-lua --with-libpcap=/opt/snf/

# ./configure --prefix=/opt/suricata --sysconfdir=/opt/suricata/etc --localstatedir=/opt/suricata --enable-geopip -enable-lua --with-libpcap-includes=/opt/snf/include/ --with-libpcap-libraries=/opt/snf/lib/

# ./configure --prefix=/opt/suricata --sysconfdir=/opt/suricata/etc --localstatedir=/opt/suricata --enable-geopip -enable-lua --with-libpcap=/opt/snf/ --with-libpcap-includes=/opt/snf/include/ --with-libpcap-libraries=/opt/snf/lib/

The compiled version of suricata shows that it is linked with the snf.

$ ldd suricata | grep snf
libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007fb840a04000)
libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007fb83e528000)


I edited the pcap entry in suricata.yaml

pcap:
  - interface: p1p1
    threads: 16
    buffer-size: 2gb
    promisc: no

I ran variations of this command..

# SNF_NUM_RINGS=16 SNF_DEBUG_MASK=3 SNF_DATARING_SIZE=4294967296 SNF_DESCRING_SIZE=1073741824 /opt/suricata/bin/suricata -i p1p1 -c /opt/suricata/etc/suricata/suricata.yaml -v --runmode=workers

After running these you look at myri_counters it shows no packets using the sniffer interface.

                     SNF recv pkts:                    0
                SNF drop ring full:                    0

If you try to run the tests using the snf0 interface, suricata dies.

Any thoughts?  I have reviewed the documentation from Myricom and Suricata as well.

Thanks,

Craig Edgmand
Oklahoma State University


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180827/6b0514a8/attachment.html>

More information about the Oisf-users mailing list