Hello all...
Apologies for the following - I've tried searching and also
reading a variety of documentation without much success.
I have a box running Debian Lenny.
I've downloaded PF_RING from svn and compiled
the kernel module fine:
#lsmod|grep ring
pf_ring 29144 1
I then tried to build Snort (2.8.5.2) with PF_RING support.
I followed the instructions in PF_RING/userland/README.snort
but ended up with a variety of problems where the libraries were not being
located, so I ended up installing the modified pcap and pfring to
/usr/local.
My final snort:
# ldd /opt/bin/snort
linux-gate.so.1 => (0xb7f80000)
libpcre.so.3 => /usr/lib/libpcre.so.3 (0xb7f4e000)
libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0xb7f1e000)
libpfring.so => /usr/local/lib/libpfring.so (0xb7f19000)
libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb7f00000)
libm.so.6 => /lib/i686/cmov/libm.so.6 (0xb7eda000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7ed6000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7d7b000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7d61000)
/lib/ld-linux.so.2 (0xb7f81000)
When I run pfcount I see stats like:
./pfcount -i eth1
Capturing from eth1
Using PF_RING v.4.1.1
# Device RX channels: 1
# Polling threads: 1
=========================
Absolute Stats: [43547 pkts rcvd][0 pkts dropped]
Total Pkts=43547/Dropped=0.0 %
43547 pkts - 32490693 bytes [43544.5 pkt/sec - 259.91 Mbit/sec]
=========================
=========================
Absolute Stats: [65835 pkts rcvd][0 pkts dropped]
Total Pkts=65835/Dropped=0.0 %
65835 pkts - 48835701 bytes [32912.3 pkt/sec - 195.31 Mbit/sec]
=========================
Actual Stats: 22288 pkts [1000.3 ms][22282.3 pkt/sec]
=========================
When I run Snort, though, the statistics look like:
netman3:/proc/net/pf_ring# cat 26497-eth1.10
Bound Device : eth1
Slot Version : 10 [4.1.1]
Sampling Rate : 1
Appl. Name : <unknown>
IP Defragment : No
BPF Filtering : Disabled
# Filt. Rules : 0
Cluster Id : 0
Channel Id : 255
Tot Slots : 4113
Bucket Len : 128
Slot Len : 214 [bucket+header]
Tot Memory : 880640
Tot Packets : 1659060
Tot Pkt Lost : 1658480
Tot Insert : 580
Tot Read : 580
Tot Fwd Ok : 0
Tot Fwd Errors : 0
Num Free Slots : 4113
And Snort is clearly not seeing any traffic at all.
I've tried to build the patched tg3 driver without fail (all the Intel
cards build
so I'm probably going to get one of those for more testing) but I'm still
surprised/confused by the result from pfcount working fine and Snort seeing
nothing.
Am I missing something obvious?
Thanks.
--
Peter Bates, Network Support & Development Officer
Goldsmiths, University of London
New Cross, London SE14 6NW. Telephone: 020 7919 7082
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
