-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Further testing has shown that the issue may not be snort or daq related. While testing using just the tcpdump 4.1.1 (from /userland/tcpdump-4.1.1) I discovered that if left to watch traffic for a period of time it will stop seeing traffic.
If I run sudo ./tcpdump -nni zc:eth0@0 it will spill traffic to the screen for a period of time (sometimes a few seconds and sometimes a couple/few minutes) and then it will stop. If I output the data to a file (using the -w flag) the file will grow for a similar period of time and then stop growing. Additionally, if I run tcpdump in two different windows each with a different queue (zc:eth0@0 and zc:eth0@1) they will also stop at the same time. Finally when running the this tcpdump, I get an the following error despite the fact that some traffic will be dumped: tcpdump: WARNING: SIOCGIFADDR: zc:eth0@0: No such device While I have no particular evidence this is related to the snort problem I was reporting earlier, given the length of time it generally runs for it may be that is the reason snort is using no cpu, its just not seeing traffic. This is running on RHEL 6.6 with the kernel back-revd to 2.6.32-431.el6.x86_64, the PF_Ring version I was testing this on is svn rev 8550. I have now seen this issue not only on the original system but an identical one with a fresh OS, development tools, etc., though still with the back revd kernel. Yours, John On 10/27/2014 12:54 PM, John Ives wrote: > On 10/27/2014 10:01 AM, John Ives wrote: >> On 10/27/2014 09:15 AM, Alfredo Cardigliano wrote: >>> Hi John are you able to debug a bit the daq and provide the >>> errno value after the failing call? > >> Tell me the tools you want me to run and the output you want and >> I will provide it. In the mean time I have noticed that when it >> is running it seems to be processing no data. > > Some trial and error testing has shown that running without the > zc:eth0@0 (instead using just eth0) means that traffic will be > processed and alerts will be generated. In comparison using > zc:eth0@0 leads to snort using virtually no cpu and generating no > alerts. > > This works: > > snort --pid-path /var/run --create-pidfile > --daq-dir=/usr/local/lib/daq/ --daq pfring_zc -i eth0 --daq-mode > passive -c /snort/config/snort.conf -l /snort/logs/0 -y -d > --daq-var bindcpu=0 --daq-var clusterid=0 > > This does not: > > snort --pid-path /var/run --create-pidfile > --daq-dir=/usr/local/lib/daq/ --daq pfring_zc -i zc:eth0@0 > --daq-mode passive -c /snort/config/snort.conf -l /snort/logs/0 -y > -d --daq-var bindcpu=0 --daq-var clusterid=0 -D > >>> Probably the problem is that you are not setting a different >>> cluster id per instance (--daq-var clusterid=X), I am updating >>> the README in SVN. > >> Thank you. That seems to have worked. > > > To clarify further, snort is now running multiple instances. > However, I am still getting the following errors related to > libnuma for every launch after the first: > > libnuma: Warning: node 9 not allowed > numa_sched_setaffinity_v2_int() failed; abort : Invalid argument > set_mempolicy: Invalid argument > > Yours, > > John > >>>> On 24 Oct 2014, at 01:45, John Ives >>>> <[email protected]> wrote: >>>> >>> I have gotten to the place that I can get pf_ring, snort, daq >>> and the daq_zc all built without issue. Launching snort >>> following the basic examples in the >>> pfring-daq-module-zc/README.1st is fine for the first instance >>> (using options --daq pfring_zc -i zc:eth0@0 --daq-mode passive >>> --daq-var bindcpu=0), however subsequent launches (where the >>> queue interface is zc:eth0@1 and the bindcpu is 1) result in: > >>> libnuma: Warning: node 9 not allowed >>> numa_sched_setaffinity_v2_int() failed; abort : Invalid >>> argument set_mempolicy: Invalid argument ERROR: Can't >>> initialize DAQ pfring_zc (-1) - Fatal Error, Quitting.. > >>> The pf_ring and ixgbe (3.22.3-zc) drivers were setup using the >>> load_drivers.sh script and with the options. > >>> pf_ring.ko transparent_mode=2 enable_tx_capture=0 ixgbe.ko >>> MQ=1,1,1,1 RSS=16,16,16,16 > >>> Also, if I try to end the running instance of snort using kill >>> <PID> it does not respond and I have to kill it using kill -9 >>> <PID>. > >>> OS and software details > >>> RedHat 6.6 (with the kernel backrevd to 2.6.32-431.el6.x86_64) >>> PF_RING 6.0.3 (svn rev 8477) Snort 2.9.6.2 DAQ 2.0.2 > >>> Yours, > >>> John > > >>>> _______________________________________________ Ntop-misc >>>> mailing list [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > >>> _______________________________________________ Ntop-misc >>> mailing list [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > >> _______________________________________________ Ntop-misc mailing >> list [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > _______________________________________________ Ntop-misc mailing > list [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > - -- - ------------------------------------------------------------------------- John Ives Information Security & Policy Phone (510) 229-8676 University of California, Berkeley - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUWVdNAAoJEJkidK6qbywsg4AIAJA0x6AluWA3CPw7HCr2zYGc plbZhyLqiPGJ6Rl1HQFmAiarnI1gDddZTRx40GzeHL0k5sSZKigi1zCwy8RBN24j Ij3G3e0JhwqUuuOwiVamA2pNTnoCikCS2ESAGNRY9qc5IGHEckAPCBep8N6VYz/U atXSxVyczznrw7lIkxZCRC3e2vmGBCouoeEobcdpAbI5VGG/fY2W3RuJD6KcyJK1 PYC/JXHn/E4QJHZhxnSdtSWFycgJ5I6405jr+1803hogBQNCfJBMlAgZoOsNAtQV 4b1kBO73oR5Bq3NBmC/AfkXUj8b5BwzWVBSjovld0K6F4VVx7XXieysAQXi6Pvk= =zgby -----END PGP SIGNATURE----- _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
