[Snort-users] Snort with PF_RING - Compile question

Eugenio Pérez eupm90 at ...11827...
Mon Apr 18 14:46:49 EDT 2016


Hi Chris!

You need to link also with pfring userspace library (-lpfring). Please let
me know if you need more help with this. I hope this answer is not late!

Regards.

2016-04-12 17:09 GMT+02:00 Chris Chiaverini <cchiaverini at ...2968...>:

> Thank you, I will try testing with a different version.
>
> In the meantime, attached is the config.log with more details on it.  This
> looks to be a key point:
>
> configure:14441: result: yes
> configure:14622: checking for pcap_datalink in -lpcap
> configure:14647: gcc -o conftest -g -O2  -I/usr/local/lib/
> -I/usr/local/include -I/usr/local/include  -L/usr/local/lib
> -L/usr/local/lib -L/usr/local/lib conftest.c -lpcap  -lnsl -lm -lm  >&5
> /usr/local/lib/libpcap.a(pcap.o): In function `pcap_breakloop':
> (.text+0x744): undefined reference to `pfring_breakloop'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_read_packet':
> (.text+0x2ac): undefined reference to `pfring_recv'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_stats_linux':
> (.text+0xcc3): undefined reference to `pfring_stats'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_cleanup_linux':
> (.text+0x11d0): undefined reference to `pfring_close'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function
> `pcap_setfilter_linux_common':
> (.text+0x1c67): undefined reference to `pfring_get_bound_device_ifindex'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x2c6b): undefined reference to `pfring_enable_ring'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x2c77): undefined reference to `pfring_get_selectable_fd'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x2d60): undefined reference to `pfring_open'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x2d92): undefined reference to `pfring_set_socket_mode'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x2e39): undefined reference to `pfring_set_poll_watermark'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x3505): undefined reference to `pfring_enable_rss_rehash'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x3975): undefined reference to `pfring_set_application_name'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x39ae): undefined reference to `pfring_set_cluster'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x417b): undefined reference to `pfring_set_cluster'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x433b): undefined reference to `pfring_set_cluster'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x44fe): undefined reference to `pfring_set_cluster'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> (.text+0x4536): undefined reference to `pfring_set_cluster'
> /usr/local/lib/libpcap.a(pcap-linux.o):(.text+0x4553): more undefined
> references to `pfring_set_cluster' follow
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_get_pfring_id':
> (.text+0x5203): undefined reference to `pfring_get_ring_id'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_set_watermark':
> (.text+0x526b): undefined reference to `pfring_set_poll_watermark'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function
> `pcap_setdirection_linux':
> (.text+0x1ea9): undefined reference to `pfring_set_direction'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function
> `pcap_setdirection_linux':
> (.text+0x1eb8): undefined reference to `pfring_set_direction'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_inject_linux':
> (.text+0x1f9b): undefined reference to `pfring_send'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function
> `pcap_set_appl_name_linux':
> (.text+0x513d): undefined reference to `pfring_set_application_name'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_set_cluster':
> (.text+0x515f): undefined reference to `pfring_set_cluster'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_set_master_id':
> (.text+0x5218): undefined reference to `pfring_set_master_id'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function `pcap_set_master':
> (.text+0x522f): undefined reference to `pfring_set_master'
> /usr/local/lib/libpcap.a(pcap-linux.o): In function
> `pcap_set_application_name':
> (.text+0x5248): undefined reference to `pfring_set_application_name'
> collect2: error: ld returned 1 exit status
> configure:14647: $? = 1
> configure: failed program was:
> | /* confdefs.h */
> | #define PACKAGE_NAME ""
> | #define PACKAGE_TARNAME ""
> | #define PACKAGE_VERSION ""
> | #define PACKAGE_STRING ""
> | #define PACKAGE_BUGREPORT ""
> | #define PACKAGE_URL ""
> | #define PACKAGE "snort"
> | #define VERSION "2.9.8.2"
> | #define STDC_HEADERS 1
> | #define HAVE_SYS_TYPES_H 1
> | #define HAVE_SYS_STAT_H 1
> | #define HAVE_STDLIB_H 1
> | #define HAVE_STRING_H 1
> | #define HAVE_MEMORY_H 1
> | #define HAVE_STRINGS_H 1
> | #define HAVE_INTTYPES_H 1
> | #define HAVE_STDINT_H 1
> | #define HAVE_UNISTD_H 1
> | #define HAVE_DLFCN_H 1
> | #define LT_OBJDIR ".libs/"
> | #define LINUX 1
> | #define HAVE__BOOL 1
> | #define HAVE_STDBOOL_H 1
> | #define HAVE_INTTYPES_H 1
> | #define HAVE_MATH_H 1
> | #define HAVE_PATHS_H 1
> | #define HAVE_STDLIB_H 1
> | #define HAVE_STRING_H 1
> | #define HAVE_STRINGS_H 1
> | #define HAVE_UNISTD_H 1
> | #define HAVE_WCHAR_H 1
> | #define HAVE_LIBM 1
> | #define HAVE_LIBM 1
> | #define HAVE_LIBNSL 1
> | #define HAVE_SIGACTION 1
> | #define HAVE_STRERROR 1
> | #define HAVE_VSWPRINTF 1
> | #define HAVE_WPRINTF 1
> | #define HAVE_MEMRCHR 1
> | #define HAVE_INET_NTOP 1
> | #define HAVE_SNPRINTF /**/
> | #define HAVE_MALLOC_TRIM 1
> | #define HAVE_MALLINFO 1
> | #define SIZEOF_CHAR 1
> | #define SIZEOF_SHORT 2
> | #define SIZEOF_INT 4
> | #define SIZEOF_LONG_INT 8
> | #define SIZEOF_LONG_LONG_INT 8
> | #define SIZEOF_UNSIGNED_INT 4
> | #define SIZEOF_UNSIGNED_LONG_INT 8
> | #define SIZEOF_UNSIGNED_LONG_LONG_INT 8
> | #define HAVE_U_INT8_T 1
> | #define HAVE_U_INT16_T 1
> | #define HAVE_U_INT32_T 1
> | #define HAVE_U_INT64_T 1
> | #define HAVE_UINT8_T 1
> | #define HAVE_UINT16_T 1
> | #define HAVE_UINT32_T 1
> | #define HAVE_UINT64_T 1
> | #define HAVE_INT8_T 1
> | #define HAVE_INT16_T 1
> | #define HAVE_INT32_T 1
> | #define HAVE_INT64_T 1
> | #define ERRLIST_PREDEFINED 1
> | #define HAVE___FUNCTION__ 1
> | /* end confdefs.h.  */
> |
> | /* Override any GCC internal prototype to avoid an error.
> |    Use char because int might match the return type of a GCC
> |    builtin and then its argument prototype would still apply.  */
> | #ifdef __cplusplus
> | extern "C"
> | #endif
> | char pcap_datalink ();
> | int
> | main ()
> | {
> | return pcap_datalink ();
> |   ;
> |   return 0;
> | }
>
>
>
> Regards,
>
> Chris Chiaverini
>
> On 04/12/2016 09:54 AM, Balasubramaniam Natarajan wrote:
>
> You could be having a problem with libdumbnet or the former libdnet.
>
> On Tue, Apr 12, 2016 at 2:26 AM, Chris Chiaverini <cchiaverini at ...2968...>
> wrote:
>
>> Hello,
>>
>> Has anyone compiled Snort w/ pfring on RHEL 7.x?  I am attempting on 7.2
>> and hitting an issue with libpcap linking.
>>
>> I used the NTOP PF_RING RPM with snort source and it appears to be a
>> basic linking problem but I have specified them within the configure
>> options:
>>
>> [root at ...17491... snort-2.9.8.2]# rpm -ql
>> pfring
>>
>> /etc/init.d/cluster
>> /etc/init.d/pf_ring
>> /etc/init/pf_ring.conf
>> /etc/ld.so.conf.d/pf_ring.conf
>> /lib64/libanic.so
>> /lib64/libntapi.so
>> /lib64/libntos.so
>> /lib64/libsnf.so
>> /usr/local/bin/pfcount
>> /usr/local/bin/pfdnabounce
>> /usr/local/bin/pfdnacluster_master
>> /usr/local/bin/pfsend
>> /usr/local/bin/zbalance_ipc
>> /usr/local/bin/zcount
>> /usr/local/bin/zcount_ipc
>> /usr/local/bin/zsend
>> /usr/local/include/linux/pf_ring.h
>> /usr/local/include/pfring.h
>> /usr/local/include/pfring_zc.h
>> /usr/local/lib/daq/daq_pfring.la
>> /usr/local/lib/daq/daq_pfring.so
>> /usr/local/lib/daq/daq_pfring_zc.la
>> /usr/local/lib/daq/daq_pfring_zc.so
>> */usr/local/lib/libpcap.a*
>> */usr/local/lib/libpcap.so.1.6.2*
>> /usr/local/lib/libpfring.a
>> /usr/local/lib/libpfring.so
>> /usr/local/lib/libsfbpf.so.0
>> /usr/local/lib/libsfbpf.so.0.0.1
>> /usr/local/pfring/README-DAQ.1st
>> /usr/local/pfring/README.FIRST
>> [root at ...17491... snort-2.9.8.2]# ll /usr/local/lib/libpcap.*
>> *-rw-r--r--. 1 root root  479112 Apr  9 09:26 /usr/local/lib/libpcap.a*
>> *lrwxrwxrwx. 1 root root      16 Apr  4 14:25 /usr/local/lib/libpcap.so.1
>> -> libpcap.so.1.6.2*
>> *-rwxr-xr-x. 1 root root 1377998 Apr  9 09:26
>> /usr/local/lib/libpcap.so.1.6.2*
>> [root at ...17491... snort-2.9.8.2]#
>>
>>
>> [root at ...17491... snort-2.9.8.2]# cat ../configure_snort.sh
>> #!/bin/sh
>>
>> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/dell/srvadmin/bin:/opt/dell/srvadmin/sbin:/root/bin:/opt/daq/bin
>> LD_LIBRARY_PATH=/opt/daq/lib:*/usr/local/lib*
>> :/lib64:/lib:/usr/lib64:/usr/lib:/usr/local/lib/daq
>> export PATH LD_LIBRARY_PATH
>>
>> ./configure --prefix=/opt/snort-2.9.8.2
>> --with-dnet-includes=/usr/local/include
>> --with-dnet-libraries=/usr/local/lib *--with-libpcap-includes=/usr/local/lib/
>> **--with-libpcap-libraries=/usr/local/lib *--with-libpfring-includes=/usr/local/include/daq
>> --with-libpfring-libraries=/usr/local/lib/daq
>> --with-daq-libraries=/usr/local/lib --with-daq-includes=/usr/local/include \
>> --enable-sourcefire \
>> --enable-zlib \
>> --enable-perfprofiling \
>> --enable-gre \
>> --enable-mpls \
>> --enable-targetbased \
>> --enable-ppm \
>> --enable-perfprofiling \
>> --enable-active-response \
>> --enable-normalizer \
>> --enable-reload \
>> --enable-react \
>> --enable-flexresp3 \
>> --enable-linux-smp-stats \
>> --enable-large-pcap \
>> --enable-targetbased \
>> --enable-sourcefire
>> [root at ...17491... snort-2.9.8.2]#
>>
>>
>> [root at ...17491... snort-2.9.8.2]# sh ../configure_snort.sh
>> configure: WARNING: unrecognized options: --enable-zlib
>> checking for a BSD-compatible install... /usr/bin/install -c
>> checking whether build environment is sane... yes
>> checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
>> checking for gawk... gawk
>> checking whether make sets $(MAKE)... yes
>>
>> <OMMITTED>
>>
>> checking for INADDR_NONE... yes
>> checking for __FUNCTION__... yes
>> checking for pcap_datalink in -lpcap... no
>> checking pfring.h usability... yes
>> checking pfring.h presence... yes
>> checking for pfring.h... yes
>> checking for pfring_open in -lpfring... no
>> *checking for pfring_open in -lpcap... no*
>>
>> *   ERROR!  Libpcap library/headers (libpcap.a (or .so)/pcap.h)*
>> *   not found, go get it from
>> <http://www.tcpdump.org>http://www.tcpdump.org <http://www.tcpdump.org>*
>> *   or use the --with-libpcap-* options, if you have it installed*
>> *   in unusual place.  Also check if your libpcap depends on another*
>> *   shared library that may be installed in an unusual place*
>> [root at ...17491... snort-2.9.8.2]#
>>
>>
>>
>> --
>>
>>
>> Regards,
>>
>> Chris Chiaverini
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> Regards,
> Balasubramaniam Natarajan
> http://blog.etutorshop.com
> https://www.youracclaim.com/user/balasubramaniam-natarajan
>
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160418/d1961fab/attachment.html>


More information about the Snort-users mailing list