[Snort-users] Seg fault with latest pf_ring git

Michael Altizer mialtize at ...589...
Tue Nov 1 16:15:16 EDT 2016


I don't know that there's much that we can do without trying to get 
pf_ring up and running ourselves (I tried briefly on an Ubuntu 16.04 VM, 
but that wouldn't compile and I'll probably try again on another, older 
system).  I'd suggest recompiling the pf_ring library and pcap library 
with debugging information (and maybe -O0 for good measure) so you can 
see *why* it's crashing in the pf_ring code.

On 11/01/2016 03:51 PM, James Lay wrote:
> Yep...looks like I wait for the Snort devs ;)
>
> James
>
> On 2016-11-01 13:49, Y M wrote:
>> There used to be two types of drivers: PF_RING aware and ZC. The ZC
>> ones are for PF_RING ZC, which require a license. Looking at the
>> directory now I see the "aware" drivers are not there anymore. So I
>> stand corrected at this point, as I am not sure how would these play
>> with non-ZC PF_RING.
>>
>> YM
>> -------------------------
>>
>> FROM: James Lay <jlay at ...13475...>
>> SENT: Tuesday, November 1, 2016 10:41:05 PM
>> TO: Y M
>> CC: Snort
>> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
>>
>> Thanks YM....yea I looked at the drivers, but I think they are only
>> needed for PF_RING ZC support?  I'm not a pro with pf_ring, so I could
>>
>> be way off.  I'll fiddle and see what happens..thanks again.
>>
>> James
>>
>> On 2016-11-01 13:35, Y M wrote:
>>> Always happy to help, James.
>>>
>>> Odd that suricata works. Just a couple of notes which may not be
>>> related. I see that you did not compile the pf_ring driver (cd
>>> drivers/PF_RING_aware/intel/<igb|igbxe>/<version>/src && sudo make
>>> install). Since part of the error is "pfring_get_card_settings()",
>>> maybe this is related? A second note is that the "min_num_slots"
>> while
>>> loading the pfring kernel module, "I believe", is no longer
>> required,
>>> which is obviously not related to your issue.
>>>
>>> I guess Luca is already on top of it.
>>>
>>> YM
>>> -------------------------
>>>
>>> FROM: James Lay <jlay at ...13475...>
>>> SENT: Tuesday, November 1, 2016 10:19:35 PM
>>> TO: Y M
>>> CC: Snort
>>> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
>>>
>>> Thanks YM....you're willingness to help always impresses me :)  As
>> for
>>> pf_ring, this was just a git pull...which...is apparently like..uber
>>> fresh:
>>>
>>> commit aa5bf8f7d0662d411465895b8ee8fe8935084a6f
>>> Author: Luca Deri <deri at ...8215...>
>>> Date:   Tue Nov 1 10:53:58 2016 +0100
>>>
>>> This is just a dev box, so I can wait until it's fixed...oddly,
>>> suricata
>>> tests fine:
>>>
>>> /opt/suricata/etc/suricata$] sudo suricata --pfring-int=eth0
>>> --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -T -c
>>> /opt/suricata/etc/suricata/suricata.yaml
>>> 1/11/2016 -- 12:13:38 - <Info> - Running suricata under test mode
>>> 1/11/2016 -- 12:13:38 - <Notice> - This is Suricata version 3.1.3
>>> RELEASE
>>> 1/11/2016 -- 12:13:47 - <Notice> - Configuration provided was
>>> successfully loaded. Exiting.
>>>
>>> pfring config steps:
>>>
>>> git clone https://github.com/ntop/PF_RING.git
>>> cd PF_RING/kernel
>>> make
>>> sudo make install
>>>
>>> cd ../userland/lib
>>> ./configure --prefix=/opt/pfring
>>> sudo make install
>>>
>>> cd ../libpcap
>>> ./configure --prefix=/opt/pfring
>>> sudo make install
>>>
>>> cd ../tcpdump
>>> ./configure --prefix=/opt/pfring
>>> sudo make install
>>>
>>> cd ../userland/snort/pfring-daq-module
>>> autoreconf -ivf
>>> ./configure --with-libpfring-includes=/opt/pfring/include
>>> --with-libpfring-libraries=/opt/pfring/lib
>>> make
>>> sudo cp .libs/daq_pfring.so /usr/local/lib/daq/
>>>
>>> modprobe pf_ring enable_tx_capture=1 min_num_slots=32768
>>>
>>> snort config line:
>>> ./configure --prefix=/opt/snort --enable-non-ether-decoders
>>> --enable-sourcefire --enable-shared-rep --enable-control-socket
>>> --enable-open-appid --with-libpcap-includes=/opt/pfring/include
>>> --with-libpcap-libraries=/opt/pfring/lib
>>> --with-libpfring-includes=/opt/pfring/include
>>> --with-libpfring-libraries=/opt/pfring/lib
>>>
>>> Thanks again.
>>>
>>> James
>>>
>>> On 2016-11-01 12:44, Y M wrote:
>>>> A long shot at this, but were all the pf_ring modules (driver,
>>>> kernel, pfring libpcap, pfring daq) compiled and installed from the
>>>> recent source? If you revert back to the stable version (apt/yum
>>>> install), does it work? You can also try uninstalling then make
>>> clean
>>>> and make distclean, and recompile again.
>>>>
>>>> YM
>>>> -------------------------
>>>>
>>>> FROM: James Lay <jlay at ...13475...>
>>>> SENT: Tuesday, November 1, 2016 9:03:38 PM
>>>> TO: Snort
>>>> SUBJECT: [Snort-users] Seg fault with latest pf_ring git
>>>>
>>>> Topic says it.  Config test run:
>>>>
>>>> sudo snort --daq-dir=/usr/local/lib/daq --daq pfring  -T -c
>>>> /opt/snort/etc/snort.conf
>>>>
>>>> backtrace:
>>>>
>>>> #0  0x00007ffff6b681a8 in pfring_get_card_settings () from
>>>> /opt/pfring/lib/libpcap.so.1
>>>> #1  0x00007fffb626cf47 in pfring_daq_initialize (config=<optimized
>>>> out>,
>>>> ctxt_ptr=0xf109d0 <daq_hand>, errbuf=0x7fffffffe3c0 "", len=256) at
>>>> daq_pfring.c:491
>>>> #2  0x0000000000464050 in DAQ_Config (cfg=0x7fffffffe4f0) at
>>>> sfdaq.c:515
>>>> #3  0x0000000000464183 in DAQ_New (sc=0x16879f0, intf=0x557e05 "")
>>> at
>>>> sfdaq.c:553
>>>> #4  0x000000000043ba5d in SnortMain (argc=7, argv=0x7fffffffe678)
>> at
>>>> snort.c:875
>>>> #5  0x000000000043b9b3 in main (argc=7, argv=0x7fffffffe678) at
>>>> snort.c:836
>>>>
>>>> sudo snort --daq-dir=/usr/local/lib/daq --daq-list
>>>> Available DAQ modules:
>>>> pfring(v1): live inline multi unpriv
>>>> pcap(v3): readback live multi unpriv
>>>> ipfw(v3): live inline multi unpriv
>>>> dump(v3): readback live inline multi unpriv
>>>> afpacket(v5): live inline multi unpriv
>>>>
>>>> Not sure of my next step.
>>>>
>>>> James
>>>>
>>>>
>> ------------------------------------------------------------------------------
>>>> Developer Access Program for Intel Xeon Phi Processors
>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>> With one year of Intel Parallel Studio XE.
>>>> Training and support from Colfax.
>>>> Order your platform today. http://sdm.link/xeonphi
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [1]
>>>> Please visit http://blog.snort.org to stay current on all the
>> latest
>>>> Snort news!
>>
>> Links:
>> ------
>> [1] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!






More information about the Snort-users mailing list