[Snort-users] Snort 2.9, RHEL 5 and afpacket DAQ

Russ Combs rcombs at ...1935...
Mon Oct 18 15:36:57 EDT 2010


On Mon, Oct 18, 2010 at 3:22 PM, beenph <beenph at ...11827...> wrote:

> My be would be that your kernel does not have built-in support for
> mmapped socket_io (which is built-in since 2.6.34ishh) if i remember..
>
> What is your kernel version?
>
> -elz
>
>
> On Mon, Oct 18, 2010 at 2:28 PM, Ralf Spenneberg <ralf at ...8096...>
> wrote:
> > Hi,
> >
> > I am playing around with Snort 2.9.0 on RHEL 5. Using the DAQ libraries
> > with libpcap works fine. But the afpacket daq module always bails on
> > loading:
> >
> > # snort --daq afpacket
> > Running in packet dump mode
> >
> >        --== Initializing Snort ==--
> > Initializing Output Plugins!
> > afpacket DAQ configured to passive.
> > Acquiring network traffic from "eth0".
> >
> >        --== Initialization Complete ==--
> >
> >   ,,_     -*> Snort! <*-
> >  o"  )~   Version 2.9.0 (Build 68)
> >   ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/snort/snort-team
> >           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> >           Using libpcap version 1.1.1
> >           Using PCRE version: 6.6 06-Feb-2006
> >
> > Commencing packet processing (pid=3329)
> > Decoding Ethernet
> > ERROR: Can't start DAQ (-1) - create_rx_ring: Couldn't create kernel RX
> > ring on packet socket: Cannot allocate memory!
> > Fatal Error, Quitting..
> >
> >
> > It works fine on Fedora 13. I have searched the mailing lists but have
> > not found any clue. Does the kernel on RHEL 5 (2.6.18) not provide the
> > necessary interface?
> >
> > It would be fine if stated in the README or FAQ but I have not found
> > anything.
>

Check the DAQ distro README for how to use this option:

--daq-var buffer_size_mb=<#MB>

You pass that to Snort which gives it to afpacket.

> >
> > Any hints, clues, advices?
> >
> > Kind regards,
> >
> > Ralf
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download new Adobe(R) Flash(R) Builder(TM) 4
> > The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> > Flex(R) Builder(TM)) enable the development of rich applications that run
> > across multiple browsers and platforms. Download your free trials today!
> > http://p.sf.net/sfu/adobe-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> ------------------------------------------------------------------------------
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101018/5bd2292b/attachment.html>


More information about the Snort-users mailing list