OS : RH7
uname -a:
Linux XX.XX.XX.XX 3.10.0-123.20.1.el7.x86_64 #1 SMP Wed Jan 21 09:45:55 EST
2015 x86_64 x86_64 x86_64 GNU/Linux
PF_RING: 6.0.2 tarball
I've got ZC working with the PF_RING tcpdump.
tcpdump without zc:
% tcpdump -i enp4s0 -Xnns0 -c 1 tcpdump: WARNING: enp4s0: no IPv4
address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), capture size 8192 bytes
[pkt data]
1 packets captured
1 packets received by filter
0 packets dropped by kernel
% tcpdump -i zc:enp4s0 -Xnns0 -c 1
tcpdump: WARNING: SIOCGIFADDR: zc:enp4s0: No such device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on zc:enp4s0, link-type EN10MB (Ethernet), capture size 8192 bytes
[pkt data]
1 packets captured
1 packets received by filter
192998 packets dropped by kernel
Is that normal?
Unfortunately, the tarball doesn't seem to have the zc snort daq, so
I tried the latest svn (9017).
% ./load_driver.sh rmmod: ERROR: Module ixgbe is not currently loaded
rmmod: ERROR: Module pf_ring is not currently loaded
Warning: 0 hugepages available, 1024 requested
./load_driver.sh: line 49: killall: command not found
Configuring enp4s0
WARNING: irqbalance is running and will
likely override this script's affinitization.
Please stop the irqbalance service and/or execute
'killall irqbalance'
no rx vectors found on enp4s0
no tx vectors found on enp4s0
enp4s0 mask=1 for /proc/irq/73/smp_affinity
% pkill -x irqbalance
% tcpdump -i zc:enp4s0 -Xnns0 -c 1
tcpdump: WARNING: SIOCGIFADDR: zc:enp4s0: No such device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on zc:enp4s0, link-type EN10MB (Ethernet), capture size 8192 bytes
[pkt data]
1 packets captured
1 packets received by filter
117512 packets dropped by kernel
I rebooted, rmmoded ixgbe, insmoded pf_ring, then ran load_driver.sh again
and now tcpdump is reporting no dropped packets, but I'm getting an
error now:
% tcpdump -i zc:enp4s0 -Xnns0 -c 1
*** error retrieving hugepages info ***
tcpdump: WARNING: SIOCGIFADDR: zc:enp4s0: No such device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on zc:enp4s0, link-type EN10MB (Ethernet), capture size 8192 bytes
[pkt data]
1 packets captured
1 packets received by filter
0 packets dropped by kernel
However, if I try it without the zc:<int>, I get a kernel panic. Attached
is a text file of the logs that go to the console and the relevant
messages from vmcore-dmesg.txt .
If I ensure I only use the zc: interface, snort cores on me:
% /opt/pf/bin/snort -i zc:enp4s0 --daq-dir=/opt/pf/lib/daq \
--daq pfring_zc --daq-var clusterid=44 --daq-var bindcpu=14 \
-c /etc/snort/snort-pf.conf -l /var/log/snort
pfring_zc DAQ configured to passive.
libnuma: Warning: /sys not mounted or invalid. Assuming one node: No such
file or directory
libnuma: Warning: node argument 1 is out of range
zsh: segmentation fault (core dumped) /opt/pf/bin/snort -i zc:enp4s0
--daq-dir=/opt/pf/lib/daq --daq pfring_zc
% gdb /opt/pf/bin/snort core.6623
[gdb banner]
Reading symbols from /opt/pf/bin/snort...(no debugging symbols
found)...done.
[New LWP 6623]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/opt/pf/bin/snort -i zc:enp4s0
--daq-dir=/opt/pf/lib/daq --daq pfring_zc --daq-'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f8533b96335 in numa_run_on_node_mask () from /lib64/libnuma.so.1
Missing separate debuginfos, use: debuginfo-install
my-snort-2.9.7.0-2.x86_64
(gdb) where
#0 0x00007f8533b96335 in numa_run_on_node_mask () from /lib64/libnuma.so.1
#1 0x00007f8533b96ab9 in numa_bind () from /lib64/libnuma.so.1
#2 0x00007f8533dcb651 in pfring_zc_create_cluster () from
/opt/pf/lib/libpfring.so
#3 0x00007f852cd09982 in pfring_zc_daq_initialize (config=0x7fff768fc790,
ctxt_ptr=0xeb00d0 <daq_hand>,
errbuf=0x7fff768fc7c0 "", len=256) at daq_pfring_zc.c:478
#4 0x00000000004e7729 in daq_initialize ()
#5 0x000000000044ef85 in DAQ_New ()
#6 0x00000000004347c7 in SnortMain ()
#7 0x00007f8534222af5 in __libc_start_main () from /lib64/libc.so.6
#8 0x000000000040515d in _start ()
Let me know if you need anything else.
--
Jim Hranicky
Data Security Specialist
UF Information Technology
105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826
352-273-1341
Information Security Office
[ 147.259792] device enp4s0 entered promiscuous mode
[ 147.309805] device enp4s0 left promiscuous mode
[ 203.210207] device enp4s0 entered promiscuous mode
[ 203.254819] device enp4s0 left promiscuous mode
[ 355.011999] device enp4s0 entered promiscuous mode
[ 355.016082] BUG: unable to handle kernel paging request at ffffffffffffffff
[ 355.016150] IP: [<ffffffffffffffff>] 0xfffffffffffffffe
[ 355.016195] PGD 18d3067 PUD 18d5067 PMD 0
[ 355.016229] Oops: 0010 [#1] SMP
[ 355.016257] Modules linked in: ixgbe(OF) pf_ring(OF) ip6t_rpfilter
ip6t_REJECT ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter
ip_tables sg ipmi_devintf ipmi_si ipmi_msghandler serio_raw amd64_edac_mod
edac_mce_amd sp5100_tco edac_core shpchp i2c_piix4 k10temp kvm_amd kvm pcspkr
acpi_cpufreq mperf xfs libcrc32c sr_mod cdrom sd_mod crc_t10dif
crct10dif_common ast syscopyarea sysfillrect sysimgblt i2c_algo_bit
drm_kms_helper ttm drm ahci libahci mdio libata ptp i2c_core pps_core
megaraid_sas bnx2
[ 355.016866] dca usb_storage dm_mirror dm_region_hash dm_log dm_mod [last
unloaded: pf_ring]
[ 355.016928] CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: GF
O-------------- 3.10.0-123.20.1.el7.x86_64 #1
[ 355.016990] Hardware name: IBM IBM System X3755 M3 -[7164D2G]-/00AL982 ,
BIOS -[AYE169AUS-1.16]- 07/18/2014
[ 355.017053] task: ffff8802744d96c0 ti: ffff8802744e2000 task.ti:
ffff8802744e2000
[ 355.017099] RIP: 0010:[<ffffffffffffffff>] [<ffffffffffffffff>]
0xfffffffffffffffe
[ 355.017152] RSP: 0018:ffff8802744e3640 EFLAGS: 00010282
[ 355.017186] RAX: ffff88046a2f2b80 RBX: ffff88046c6a3800 RCX: 0000000000000000
[ 355.017231] RDX: 000000000000000e RSI: ffff88046a2f2ba0 RDI: ffff88046c6a3800
[ 355.017275] RBP: ffff8802744e3680 R08: 000000000000000e R09: 0000000000000000
[ 355.017319] R10: 0000000000000001 R11: ffff88046c6a3800 R12: 000000000000000e
[ 355.017363] R13: 0000000000000040 R14: ffff880464b9bc4e R15: ffff88046a2cc000
[ 355.017408] FS: 00007f924124a800(0000) GS:ffff880277a00000(0000)
knlGS:0000000000000000
[ 355.017457] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 355.017493] CR2: ffffffffffffffff CR3: 000000027166c000 CR4: 00000000000007f0
[ 355.017538] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 355.017583] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 355.017626] Stack:
[ 355.017641] ffffffffa0571d12 ffff88046a2cc000 ffffffff00000001
ffff88046a2cc000
[ 355.017702] ffff8802744e3a90 000000000000000e ffff88046c6a3800
ffff8802744e36f0
[ 355.017760] ffff8802744e3960 ffffffffa057216e 0000000000000000
0000000000000000
[ 355.017817] Call Trace:
[ 355.017842] [<ffffffffa0571d12>] ? bpf_filter_skb+0x52/0xe0 [pf_ring]
[ 355.017888] [<ffffffffa057216e>] add_skb_to_ring.isra.42+0x3ce/0x10f0
[pf_ring]
[ 355.017938] [<ffffffffa0573b9f>] skb_ring_handler+0xd0f/0x1ed0 [pf_ring]
[ 355.017985] [<ffffffffa0574db1>] packet_rcv+0x51/0x90 [pf_ring]
[ 355.018028] [<ffffffff814d02a0>] __netif_receive_skb_core+0x380/0x870
[ 355.018071] [<ffffffff814d07a8>] __netif_receive_skb+0x18/0x60
[ 355.018110] [<ffffffff814d0830>] netif_receive_skb+0x40/0xd0
[ 355.018149] [<ffffffff814d1290>] napi_gro_receive+0x80/0xb0
[ 355.018193] [<ffffffffa04bd216>] ixgbe_clean_rx_irq+0x516/0xcb0 [ixgbe]
[ 355.018241] [<ffffffffa04beadc>] ixgbe_poll+0x3fc/0x720 [ixgbe]
[ 355.018281] [<ffffffff814d0bfa>] net_rx_action+0x15a/0x250
[ 355.018320] [<ffffffff81067047>] __do_softirq+0xf7/0x290
[ 355.018356] [<ffffffff81067210>] run_ksoftirqd+0x30/0x50
[ 355.018394] [<ffffffff8108e30f>] smpboot_thread_fn+0xff/0x1a0
[ 355.018433] [<ffffffff8108e210>] ? lg_global_unlock+0xc0/0xc0
[ 355.018471] [<ffffffff81085aff>] kthread+0xcf/0xe0
[ 355.019061] device enp4s0 left promiscuous mode
[ 355.021653] [<ffffffff81085a30>] ? kthread_create_on_node+0x140/0x140
[ 355.023212] [<ffffffff815f316c>] ret_from_fork+0x7c/0xb0
[ 355.024763] [<ffffffff81085a30>] ? kthread_create_on_node+0x140/0x140
[ 355.026324] Code: Bad RIP value.
[ 355.027846] RIP [<ffffffffffffffff>] 0xfffffffffffffffe
[ 355.029351] RSP <ffff8802744e3640>
[ 355.030791] CR2: ffffffffffffffff
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
