Hello Luca and Alfredo,
Thanks for your answers.
I'm going to install the svn version this afternoon.
Meanwhile, i tried using the zc interface, but same error occured:
*# /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc
-i zc:eth4 -v -e*
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pfring_zc DAQ configured to passive.
ERROR: Can't initialize DAQ pfring_zc (-1) -
Fatal Error, Quitting..
*# /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc
--daq-var clusterid=99 -i zc:eth4 -v -e*
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pfring_zc DAQ configured to passive.
ERROR: Can't initialize DAQ pfring_zc (-1) -
Fatal Error, Quitting..
On Mon, Apr 27, 2015 at 12:02 PM, Alfredo Cardigliano <[email protected]>
wrote:
> Hi Jose
> please update the code from svn (we improved error reporting), and re-run
> your command using “zc:eth4” as Luca said.
>
> Alfredo
>
> On 27 Apr 2015, at 11:41, Luca Deri <[email protected]> wrote:
>
> Jose,
> for using zc you need to use device “zc:eth4”. I am not sure you need the
> cluster parameter
>
> Luca
>
>
> On 27 Apr 2015, at 11:36, Jose Vila <[email protected]> wrote:
>
> Hello,
>
> I've installed PF_RING from the ntop repository, and compiled snort + daq
> + pfring daq from source, but have problems to run snort ...
>
> I can run zcount and it gives good statistics on traffic rate:
>
> # zcount -i eth4 -c 99
> =========================
> Absolute Stats: 120'907 pkts (0 drops) - 89'395'069 bytes
> =========================
>
> =========================
> Absolute Stats: 249'119 pkts (0 drops) - 185'193'671 bytes
> Actual Stats: 128'178.92 pps (0.00 drops) - 0.77 Gbps
> =========================
>
> =========================
> Absolute Stats: 328'063 pkts (0 drops) - 243'939'955 bytes
> Actual Stats: 127'437.35 pps (0.00 drops) - 0.76 Gbps
> =========================
> [ ... ]
>
> But Snort execution fails (same error with pfring and pfring_zc daq):
>
> # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc
> --daq-var clusterid=99 -i eth4 -v -e
> Running in packet dump mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> pfring_zc DAQ configured to passive.
> ERROR: Can't initialize DAQ pfring_zc (-1) -
> Fatal Error, Quitting..
>
> If I list the loaded daqs both pfring and pfring_zc exist:
>
> # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq-list
> Available DAQ modules:
> pfring(v1): live inline multi unpriv
> pfring_zc(v10): live inline multi unpriv
> pcap(v3): readback live multi unpriv
> ipfw(v3): live inline multi unpriv
> dump(v2): readback live inline multi unpriv
> afpacket(v5): live inline multi unpriv
>
> The NIC is a 10g intel nic with ixgbe driver. Hugepages are correctly
> configured.
>
> Am i missing something here?
>
> Thank you very much.
>
> FYI, installed packages:
>
> # yum list installed | grep ntop
> e1000e-zc.noarch 3.0.4.1-1dkms @ntop-noarch
> igb-zc.noarch 5.2.5-1dkms @ntop-noarch
> ixgbe-zc.noarch 3.22.3-1dkms @ntop-noarch
> pfring.x86_64 6.0.3-8637 @ntop
> pfring-dkms.noarch 6.0.3-dkms @ntop-noarch
> pfring-drivers-zc-dkms.noarch 1.0-0 @ntop-noarch
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
