Snort mailing list archives
Re: Seg fault with latest pf_ring git
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 01 Nov 2016 14:31:30 -0600
Can do...this is on Ubuntu 16.04, non virtual :) I'll report what I got in a bit. James On 2016-11-01 14:15, Michael Altizer wrote:
I don't know that there's much that we can do without trying to get pf_ring up and running ourselves (I tried briefly on an Ubuntu 16.04 VM, but that wouldn't compile and I'll probably try again on another, older system). I'd suggest recompiling the pf_ring library and pcap library with debugging information (and maybe -O0 for good measure) so you can see *why* it's crashing in the pf_ring code. On 11/01/2016 03:51 PM, James Lay wrote:Yep...looks like I wait for the Snort devs ;) James On 2016-11-01 13:49, Y M wrote:There used to be two types of drivers: PF_RING aware and ZC. The ZC ones are for PF_RING ZC, which require a license. Looking at the directory now I see the "aware" drivers are not there anymore. So I stand corrected at this point, as I am not sure how would these play with non-ZC PF_RING. YM ------------------------- FROM: James Lay <jlay () slave-tothe-box net> SENT: Tuesday, November 1, 2016 10:41:05 PM TO: Y M CC: Snort SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git Thanks YM....yea I looked at the drivers, but I think they are only needed for PF_RING ZC support? I'm not a pro with pf_ring, so I could be way off. I'll fiddle and see what happens..thanks again. James On 2016-11-01 13:35, Y M wrote:Always happy to help, James. Odd that suricata works. Just a couple of notes which may not be related. I see that you did not compile the pf_ring driver (cd drivers/PF_RING_aware/intel/<igb|igbxe>/<version>/src && sudo make install). Since part of the error is "pfring_get_card_settings()", maybe this is related? A second note is that the "min_num_slots"whileloading the pfring kernel module, "I believe", is no longerrequired,which is obviously not related to your issue. I guess Luca is already on top of it. YM ------------------------- FROM: James Lay <jlay () slave-tothe-box net> SENT: Tuesday, November 1, 2016 10:19:35 PM TO: Y M CC: Snort SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git Thanks YM....you're willingness to help always impresses me :) Asforpf_ring, this was just a git pull...which...is apparently like..uber fresh: commit aa5bf8f7d0662d411465895b8ee8fe8935084a6f Author: Luca Deri <deri () ntop org> Date: Tue Nov 1 10:53:58 2016 +0100 This is just a dev box, so I can wait until it's fixed...oddly, suricata tests fine: /opt/suricata/etc/suricata$] sudo suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -T -c /opt/suricata/etc/suricata/suricata.yaml 1/11/2016 -- 12:13:38 - <Info> - Running suricata under test mode 1/11/2016 -- 12:13:38 - <Notice> - This is Suricata version 3.1.3 RELEASE 1/11/2016 -- 12:13:47 - <Notice> - Configuration provided was successfully loaded. Exiting. pfring config steps: git clone https://github.com/ntop/PF_RING.git cd PF_RING/kernel make sudo make install cd ../userland/lib ./configure --prefix=/opt/pfring sudo make install cd ../libpcap ./configure --prefix=/opt/pfring sudo make install cd ../tcpdump ./configure --prefix=/opt/pfring sudo make install cd ../userland/snort/pfring-daq-module autoreconf -ivf ./configure --with-libpfring-includes=/opt/pfring/include --with-libpfring-libraries=/opt/pfring/lib make sudo cp .libs/daq_pfring.so /usr/local/lib/daq/ modprobe pf_ring enable_tx_capture=1 min_num_slots=32768 snort config line: ./configure --prefix=/opt/snort --enable-non-ether-decoders --enable-sourcefire --enable-shared-rep --enable-control-socket --enable-open-appid --with-libpcap-includes=/opt/pfring/include --with-libpcap-libraries=/opt/pfring/lib --with-libpfring-includes=/opt/pfring/include --with-libpfring-libraries=/opt/pfring/lib Thanks again. James On 2016-11-01 12:44, Y M wrote:A long shot at this, but were all the pf_ring modules (driver, kernel, pfring libpcap, pfring daq) compiled and installed from the recent source? If you revert back to the stable version (apt/yum install), does it work? You can also try uninstalling then makecleanand make distclean, and recompile again. YM ------------------------- FROM: James Lay <jlay () slave-tothe-box net> SENT: Tuesday, November 1, 2016 9:03:38 PM TO: Snort SUBJECT: [Snort-users] Seg fault with latest pf_ring git Topic says it. Config test run: sudo snort --daq-dir=/usr/local/lib/daq --daq pfring -T -c /opt/snort/etc/snort.conf backtrace: #0 0x00007ffff6b681a8 in pfring_get_card_settings () from /opt/pfring/lib/libpcap.so.1 #1 0x00007fffb626cf47 in pfring_daq_initialize (config=<optimized out>, ctxt_ptr=0xf109d0 <daq_hand>, errbuf=0x7fffffffe3c0 "", len=256) at daq_pfring.c:491 #2 0x0000000000464050 in DAQ_Config (cfg=0x7fffffffe4f0) at sfdaq.c:515 #3 0x0000000000464183 in DAQ_New (sc=0x16879f0, intf=0x557e05 "")atsfdaq.c:553 #4 0x000000000043ba5d in SnortMain (argc=7, argv=0x7fffffffe678)atsnort.c:875 #5 0x000000000043b9b3 in main (argc=7, argv=0x7fffffffe678) at snort.c:836 sudo snort --daq-dir=/usr/local/lib/daq --daq-list Available DAQ modules: pfring(v1): live inline multi unpriv pcap(v3): readback live multi unpriv ipfw(v3): live inline multi unpriv dump(v3): readback live inline multi unpriv afpacket(v5): live inline multi unpriv Not sure of my next step. James------------------------------------------------------------------------------Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users[1]Please visit http://blog.snort.org to stay current on all thelatestSnort news!Links: ------ [1] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Seg fault with latest pf_ring git James Lay (Nov 01)
- Re: Seg fault with latest pf_ring git Y M (Nov 01)
- Re: Seg fault with latest pf_ring git James Lay (Nov 01)
- Re: Seg fault with latest pf_ring git Y M (Nov 01)
- Re: Seg fault with latest pf_ring git James Lay (Nov 01)
- Re: Seg fault with latest pf_ring git Y M (Nov 01)
- Re: Seg fault with latest pf_ring git James Lay (Nov 01)
- Re: Seg fault with latest pf_ring git Michael Altizer (Nov 01)
- Re: Seg fault with latest pf_ring git James Lay (Nov 01)
- Re: Seg fault with latest pf_ring git James Lay (Nov 01)
- Re: Seg fault with latest pf_ring git James Lay (Nov 01)
- Re: Seg fault with latest pf_ring git Michael Altizer (Nov 02)
- Re: Seg fault with latest pf_ring git James Lay (Nov 02)
- Re: Seg fault with latest pf_ring git James Lay (Nov 01)
- Re: Seg fault with latest pf_ring git Y M (Nov 01)