Hi, I've got a strange problem when trying to increase the number of cores used by my Suricata+Bro IDS(+ARGUS) setup. When I try to get Suricata to use more than 8 devices, it fails on my Ubuntu 12.04 (kernel 3.2.0) boxes. However on my Ubuntu 10.04 (kernel 2.6.32) box it seems OK.
Strangely, there's no problem running Suricata, using libpfring, on dnacluster:1@0 .. 1@7 and Bro IDS, using lipcap, on dnacluster:1@8 .. 1@15 (with my custom pfdnacluster_master that duplicates traffic). I can reproduce the problem with pfcount_aggregator (with "#define MAX_NUM_DEVS 16" rather than 8):- > pfdnacluster_master -i dna0 -c 1 -n 12 > pfcount_aggregator_cdw -i > dnacluster:1@0+dnacluster:1@1+dnacluster:1@2+dnacluster:1@3+dnacluster:1@4+dnacluster:1@5+dnacluster:1@6+dnacluster:1@7+dnacluster:1@8+dnacluster:1@9+dnacluster:1@10+dnacluster:1@11 > -l 1522 > Using PF_RING v.5.4.5 > Impossible to know the device address > # Device RX channels: 1 > pfring_set_direction returned [rc=-7][direction=0] > Impossible to know the device address > # Device RX channels: 1 > pfring_set_direction returned [rc=-7][direction=0] > Impossible to know the device address > # Device RX channels: 1 > pfring_set_direction returned [rc=-7][direction=0] > Impossible to know the device address > # Device RX channels: 1 > pfring_set_direction returned [rc=-7][direction=0] > Impossible to know the device address > # Device RX channels: 1 > pfring_set_direction returned [rc=-7][direction=0] > Impossible to know the device address > # Device RX channels: 1 > pfring_set_direction returned [rc=-7][direction=0] > Impossible to know the device address > # Device RX channels: 1 > pfring_set_direction returned [rc=-7][direction=0] > Impossible to know the device address > # Device RX channels: 1 > pfring_set_direction returned [rc=-7][direction=0] > pfring_open error [Cannot allocate memory] (pf_ring not loaded or perhaps you > use quick mode and have already a socket bound to dnacluster:1@8 ?) The 12.04 boxes have ixgbe devices loaded with "insmod ixgbe.ko RSS=1,1 FdirPballoc=3,3 mtu=1522". The 10.04 box has e1000e (DNA demo license) loaded with just "insmod e1000e". Is this expected? Best Wishes, Chris -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, [email protected] IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908 Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094 _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
