Re: [Ntop-misc] Using PF_RING Aware Drivers with VLAN Trunk

Tue, 19 Mar 2013 11:44:37 -0700

The pf_ring daq is also using the libpcap out of the PF_RING/userland/libpcap. 

# ldd /usr/local/lib/daq/daq_pfring.so
    linux-vdso.so.1 =>  (0x00007fff197bf000)
    libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00007fee9344e000)
    libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fee931f8000)
    libpfring.so => /usr/local/lib/libpfring.so (0x00007fee92fd3000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fee92db1000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fee92a1d000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fee93878000)
There was someone encountering similar issues to me in the list, see this archive on Gossamer Threads: 
http://www.gossamer-threads.com/lists/ntop/misc/29722?do=post_view_threaded

Unfortunately he never replied with is fix.
Everything has officially been recompiled and double checked on using the right libpcap. I'm at a loss at this point. 

Thanks for the help so far!


On 03/19/2013 01:15 PM, Justin Azoff wrote:

On Tue, Mar 19, 2013 at 01:07:32PM -0500, Ryan wrote:

No go on that one either, I'm pretty well scratching my head over here. I'm
going through and recompiling and reinstalling everything to make sure that it
is all using the proper libpcap.

Anything special I would need to do on exporting that environment variable? I
just added it to /etc/profile and logged out and back in.

Here's snort:

# ldd `which snort`
     linux-vdso.so.1 =>  (0x00007fff015ff000)
     libdnet.1 => /usr/local/lib/libdnet.1 (0x00007f4dad6f6000)
     libpcre.so.0 => /lib64/libpcre.so.0 (0x00007f4dad4c4000)
     libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f4dad2ab000)
     libm.so.6 => /lib64/libm.so.6 (0x00007f4dad027000)
     libdl.so.2 => /lib64/libdl.so.2 (0x00007f4dace22000)
     libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00007f4dacbfd000)
     libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007f4dac9a8000)
     libz.so.1 => /lib64/libz.so.1 (0x00007f4dac791000)
     libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4dac574000)
     libc.so.6 => /lib64/libc.so.6 (0x00007f4dac1e1000)
     /lib64/ld-linux-x86-64.so.2 (0x00007f4dad907000)

The libpcap is the one compiled/installed out of the PF_RING/userland folder. I
can't help but think it is something further down the chain since if I use the
DNA based drivers I can see the traffic.

RG

That's fine, the daq module is what should be linked against pf_ring:

     # ldd /usr/local/lib/daq/daq_pfring.so

Or, if for some reason you aren't using the pf_ring daq:

     # ldd /usr/local/lib/daq/daq_pcap.so



_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Reply via email to