[Snort-users] Seg fault with latest pf_ring git

James Lay jlay at ...13475...
Tue Nov 1 16:31:30 EDT 2016


Can do...this is on Ubuntu 16.04, non virtual :)  I'll report what I got 
in a bit.

James

On 2016-11-01 14:15, Michael Altizer wrote:
> I don't know that there's much that we can do without trying to get
> pf_ring up and running ourselves (I tried briefly on an Ubuntu 16.04 
> VM,
> but that wouldn't compile and I'll probably try again on another, older
> system).  I'd suggest recompiling the pf_ring library and pcap library
> with debugging information (and maybe -O0 for good measure) so you can
> see *why* it's crashing in the pf_ring code.
> 
> On 11/01/2016 03:51 PM, James Lay wrote:
>> Yep...looks like I wait for the Snort devs ;)
>> 
>> James
>> 
>> On 2016-11-01 13:49, Y M wrote:
>>> There used to be two types of drivers: PF_RING aware and ZC. The ZC
>>> ones are for PF_RING ZC, which require a license. Looking at the
>>> directory now I see the "aware" drivers are not there anymore. So I
>>> stand corrected at this point, as I am not sure how would these play
>>> with non-ZC PF_RING.
>>> 
>>> YM
>>> -------------------------
>>> 
>>> FROM: James Lay <jlay at ...13475...>
>>> SENT: Tuesday, November 1, 2016 10:41:05 PM
>>> TO: Y M
>>> CC: Snort
>>> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
>>> 
>>> Thanks YM....yea I looked at the drivers, but I think they are only
>>> needed for PF_RING ZC support?  I'm not a pro with pf_ring, so I 
>>> could
>>> 
>>> be way off.  I'll fiddle and see what happens..thanks again.
>>> 
>>> James
>>> 
>>> On 2016-11-01 13:35, Y M wrote:
>>>> Always happy to help, James.
>>>> 
>>>> Odd that suricata works. Just a couple of notes which may not be
>>>> related. I see that you did not compile the pf_ring driver (cd
>>>> drivers/PF_RING_aware/intel/<igb|igbxe>/<version>/src && sudo make
>>>> install). Since part of the error is "pfring_get_card_settings()",
>>>> maybe this is related? A second note is that the "min_num_slots"
>>> while
>>>> loading the pfring kernel module, "I believe", is no longer
>>> required,
>>>> which is obviously not related to your issue.
>>>> 
>>>> I guess Luca is already on top of it.
>>>> 
>>>> YM
>>>> -------------------------
>>>> 
>>>> FROM: James Lay <jlay at ...13475...>
>>>> SENT: Tuesday, November 1, 2016 10:19:35 PM
>>>> TO: Y M
>>>> CC: Snort
>>>> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
>>>> 
>>>> Thanks YM....you're willingness to help always impresses me :)  As
>>> for
>>>> pf_ring, this was just a git pull...which...is apparently like..uber
>>>> fresh:
>>>> 
>>>> commit aa5bf8f7d0662d411465895b8ee8fe8935084a6f
>>>> Author: Luca Deri <deri at ...8215...>
>>>> Date:   Tue Nov 1 10:53:58 2016 +0100
>>>> 
>>>> This is just a dev box, so I can wait until it's fixed...oddly,
>>>> suricata
>>>> tests fine:
>>>> 
>>>> /opt/suricata/etc/suricata$] sudo suricata --pfring-int=eth0
>>>> --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -T -c
>>>> /opt/suricata/etc/suricata/suricata.yaml
>>>> 1/11/2016 -- 12:13:38 - <Info> - Running suricata under test mode
>>>> 1/11/2016 -- 12:13:38 - <Notice> - This is Suricata version 3.1.3
>>>> RELEASE
>>>> 1/11/2016 -- 12:13:47 - <Notice> - Configuration provided was
>>>> successfully loaded. Exiting.
>>>> 
>>>> pfring config steps:
>>>> 
>>>> git clone https://github.com/ntop/PF_RING.git
>>>> cd PF_RING/kernel
>>>> make
>>>> sudo make install
>>>> 
>>>> cd ../userland/lib
>>>> ./configure --prefix=/opt/pfring
>>>> sudo make install
>>>> 
>>>> cd ../libpcap
>>>> ./configure --prefix=/opt/pfring
>>>> sudo make install
>>>> 
>>>> cd ../tcpdump
>>>> ./configure --prefix=/opt/pfring
>>>> sudo make install
>>>> 
>>>> cd ../userland/snort/pfring-daq-module
>>>> autoreconf -ivf
>>>> ./configure --with-libpfring-includes=/opt/pfring/include
>>>> --with-libpfring-libraries=/opt/pfring/lib
>>>> make
>>>> sudo cp .libs/daq_pfring.so /usr/local/lib/daq/
>>>> 
>>>> modprobe pf_ring enable_tx_capture=1 min_num_slots=32768
>>>> 
>>>> snort config line:
>>>> ./configure --prefix=/opt/snort --enable-non-ether-decoders
>>>> --enable-sourcefire --enable-shared-rep --enable-control-socket
>>>> --enable-open-appid --with-libpcap-includes=/opt/pfring/include
>>>> --with-libpcap-libraries=/opt/pfring/lib
>>>> --with-libpfring-includes=/opt/pfring/include
>>>> --with-libpfring-libraries=/opt/pfring/lib
>>>> 
>>>> Thanks again.
>>>> 
>>>> James
>>>> 
>>>> On 2016-11-01 12:44, Y M wrote:
>>>>> A long shot at this, but were all the pf_ring modules (driver,
>>>>> kernel, pfring libpcap, pfring daq) compiled and installed from the
>>>>> recent source? If you revert back to the stable version (apt/yum
>>>>> install), does it work? You can also try uninstalling then make
>>>> clean
>>>>> and make distclean, and recompile again.
>>>>> 
>>>>> YM
>>>>> -------------------------
>>>>> 
>>>>> FROM: James Lay <jlay at ...13475...>
>>>>> SENT: Tuesday, November 1, 2016 9:03:38 PM
>>>>> TO: Snort
>>>>> SUBJECT: [Snort-users] Seg fault with latest pf_ring git
>>>>> 
>>>>> Topic says it.  Config test run:
>>>>> 
>>>>> sudo snort --daq-dir=/usr/local/lib/daq --daq pfring  -T -c
>>>>> /opt/snort/etc/snort.conf
>>>>> 
>>>>> backtrace:
>>>>> 
>>>>> #0  0x00007ffff6b681a8 in pfring_get_card_settings () from
>>>>> /opt/pfring/lib/libpcap.so.1
>>>>> #1  0x00007fffb626cf47 in pfring_daq_initialize (config=<optimized
>>>>> out>,
>>>>> ctxt_ptr=0xf109d0 <daq_hand>, errbuf=0x7fffffffe3c0 "", len=256) at
>>>>> daq_pfring.c:491
>>>>> #2  0x0000000000464050 in DAQ_Config (cfg=0x7fffffffe4f0) at
>>>>> sfdaq.c:515
>>>>> #3  0x0000000000464183 in DAQ_New (sc=0x16879f0, intf=0x557e05 "")
>>>> at
>>>>> sfdaq.c:553
>>>>> #4  0x000000000043ba5d in SnortMain (argc=7, argv=0x7fffffffe678)
>>> at
>>>>> snort.c:875
>>>>> #5  0x000000000043b9b3 in main (argc=7, argv=0x7fffffffe678) at
>>>>> snort.c:836
>>>>> 
>>>>> sudo snort --daq-dir=/usr/local/lib/daq --daq-list
>>>>> Available DAQ modules:
>>>>> pfring(v1): live inline multi unpriv
>>>>> pcap(v3): readback live multi unpriv
>>>>> ipfw(v3): live inline multi unpriv
>>>>> dump(v3): readback live inline multi unpriv
>>>>> afpacket(v5): live inline multi unpriv
>>>>> 
>>>>> Not sure of my next step.
>>>>> 
>>>>> James
>>>>> 
>>>>> 
>>> ------------------------------------------------------------------------------
>>>>> Developer Access Program for Intel Xeon Phi Processors
>>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>>> With one year of Intel Parallel Studio XE.
>>>>> Training and support from Colfax.
>>>>> Order your platform today. http://sdm.link/xeonphi
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> [1]
>>>>> Please visit http://blog.snort.org to stay current on all the
>>> latest
>>>>> Snort news!
>>> 
>>> Links:
>>> ------
>>> [1] 
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> ------------------------------------------------------------------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. http://sdm.link/xeonphi
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!
> 
> 
> 
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!




More information about the Snort-users mailing list