[Snort-users] Seg fault with latest pf_ring git

James Lay jlay at ...13475...
Tue Nov 1 15:51:25 EDT 2016


Yep...looks like I wait for the Snort devs ;)

James

On 2016-11-01 13:49, Y M wrote:
> There used to be two types of drivers: PF_RING aware and ZC. The ZC
> ones are for PF_RING ZC, which require a license. Looking at the
> directory now I see the "aware" drivers are not there anymore. So I
> stand corrected at this point, as I am not sure how would these play
> with non-ZC PF_RING.
> 
> YM
> -------------------------
> 
> FROM: James Lay <jlay at ...13475...>
> SENT: Tuesday, November 1, 2016 10:41:05 PM
> TO: Y M
> CC: Snort
> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
> 
> Thanks YM....yea I looked at the drivers, but I think they are only
> needed for PF_RING ZC support?  I'm not a pro with pf_ring, so I could
> 
> be way off.  I'll fiddle and see what happens..thanks again.
> 
> James
> 
> On 2016-11-01 13:35, Y M wrote:
>> Always happy to help, James.
>> 
>> Odd that suricata works. Just a couple of notes which may not be
>> related. I see that you did not compile the pf_ring driver (cd
>> drivers/PF_RING_aware/intel/<igb|igbxe>/<version>/src && sudo make
>> install). Since part of the error is "pfring_get_card_settings()",
>> maybe this is related? A second note is that the "min_num_slots"
> while
>> loading the pfring kernel module, "I believe", is no longer
> required,
>> which is obviously not related to your issue.
>> 
>> I guess Luca is already on top of it.
>> 
>> YM
>> -------------------------
>> 
>> FROM: James Lay <jlay at ...13475...>
>> SENT: Tuesday, November 1, 2016 10:19:35 PM
>> TO: Y M
>> CC: Snort
>> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
>> 
>> Thanks YM....you're willingness to help always impresses me :)  As
> for
>> 
>> pf_ring, this was just a git pull...which...is apparently like..uber
>> fresh:
>> 
>> commit aa5bf8f7d0662d411465895b8ee8fe8935084a6f
>> Author: Luca Deri <deri at ...8215...>
>> Date:   Tue Nov 1 10:53:58 2016 +0100
>> 
>> This is just a dev box, so I can wait until it's fixed...oddly,
>> suricata
>> tests fine:
>> 
>> /opt/suricata/etc/suricata$] sudo suricata --pfring-int=eth0
>> --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -T -c
>> /opt/suricata/etc/suricata/suricata.yaml
>> 1/11/2016 -- 12:13:38 - <Info> - Running suricata under test mode
>> 1/11/2016 -- 12:13:38 - <Notice> - This is Suricata version 3.1.3
>> RELEASE
>> 1/11/2016 -- 12:13:47 - <Notice> - Configuration provided was
>> successfully loaded. Exiting.
>> 
>> pfring config steps:
>> 
>> git clone https://github.com/ntop/PF_RING.git
>> cd PF_RING/kernel
>> make
>> sudo make install
>> 
>> cd ../userland/lib
>> ./configure --prefix=/opt/pfring
>> sudo make install
>> 
>> cd ../libpcap
>> ./configure --prefix=/opt/pfring
>> sudo make install
>> 
>> cd ../tcpdump
>> ./configure --prefix=/opt/pfring
>> sudo make install
>> 
>> cd ../userland/snort/pfring-daq-module
>> autoreconf -ivf
>> ./configure --with-libpfring-includes=/opt/pfring/include
>> --with-libpfring-libraries=/opt/pfring/lib
>> make
>> sudo cp .libs/daq_pfring.so /usr/local/lib/daq/
>> 
>> modprobe pf_ring enable_tx_capture=1 min_num_slots=32768
>> 
>> snort config line:
>> ./configure --prefix=/opt/snort --enable-non-ether-decoders
>> --enable-sourcefire --enable-shared-rep --enable-control-socket
>> --enable-open-appid --with-libpcap-includes=/opt/pfring/include
>> --with-libpcap-libraries=/opt/pfring/lib
>> --with-libpfring-includes=/opt/pfring/include
>> --with-libpfring-libraries=/opt/pfring/lib
>> 
>> Thanks again.
>> 
>> James
>> 
>> On 2016-11-01 12:44, Y M wrote:
>>> A long shot at this, but were all the pf_ring modules (driver,
>>> kernel, pfring libpcap, pfring daq) compiled and installed from the
>>> recent source? If you revert back to the stable version (apt/yum
>>> install), does it work? You can also try uninstalling then make
>> clean
>>> and make distclean, and recompile again.
>>> 
>>> YM
>>> -------------------------
>>> 
>>> FROM: James Lay <jlay at ...13475...>
>>> SENT: Tuesday, November 1, 2016 9:03:38 PM
>>> TO: Snort
>>> SUBJECT: [Snort-users] Seg fault with latest pf_ring git
>>> 
>>> Topic says it.  Config test run:
>>> 
>>> sudo snort --daq-dir=/usr/local/lib/daq --daq pfring  -T -c
>>> /opt/snort/etc/snort.conf
>>> 
>>> backtrace:
>>> 
>>> #0  0x00007ffff6b681a8 in pfring_get_card_settings () from
>>> /opt/pfring/lib/libpcap.so.1
>>> #1  0x00007fffb626cf47 in pfring_daq_initialize (config=<optimized
>>> out>,
>>> ctxt_ptr=0xf109d0 <daq_hand>, errbuf=0x7fffffffe3c0 "", len=256) at
>>> daq_pfring.c:491
>>> #2  0x0000000000464050 in DAQ_Config (cfg=0x7fffffffe4f0) at
>>> sfdaq.c:515
>>> #3  0x0000000000464183 in DAQ_New (sc=0x16879f0, intf=0x557e05 "")
>> at
>>> sfdaq.c:553
>>> #4  0x000000000043ba5d in SnortMain (argc=7, argv=0x7fffffffe678)
> at
>>> snort.c:875
>>> #5  0x000000000043b9b3 in main (argc=7, argv=0x7fffffffe678) at
>>> snort.c:836
>>> 
>>> sudo snort --daq-dir=/usr/local/lib/daq --daq-list
>>> Available DAQ modules:
>>> pfring(v1): live inline multi unpriv
>>> pcap(v3): readback live multi unpriv
>>> ipfw(v3): live inline multi unpriv
>>> dump(v3): readback live inline multi unpriv
>>> afpacket(v5): live inline multi unpriv
>>> 
>>> Not sure of my next step.
>>> 
>>> James
>>> 
>>> 
>> 
> ------------------------------------------------------------------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today. http://sdm.link/xeonphi
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> [1]
>>> 
>>> Please visit http://blog.snort.org to stay current on all the
> latest
>>> Snort news!
> 
> 
> Links:
> ------
> [1] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users




More information about the Snort-users mailing list