Hello again,
I recompiled the following from SVN: pf_ring kernel module, pf_ring
library, libpcap, daq and pfring_daq_zc.
Now executing snort with the zc interface throws an error:
*# /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc
--daq-var clusterid=99 -i zc:eth4 -v -e*
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pfring_zc DAQ configured to passive.
ERROR: Can't initialize DAQ pfring_zc (-1) - pfring_zc_open_device():
unable to open device 'zc:eth4' (RX)
Fatal Error, Quitting..
But executing without zc interface seems to work.
*# /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc
--daq-var clusterid=99 -i eth4 -v -e*
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pfring_zc DAQ configured to passive.
Acquiring network traffic from "eth4".
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.7.2 GRE (Build 177)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights
reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.6.2
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Commencing packet processing (pid=12146)
Decoding Ethernet
WARNING: No preprocessors configured for policy 0.
04/27-14:26:58.367470 00:09:0F:09:00:02 -> 00:00:5E:00:01:42 type:0x800
len:0x42
AAA.BBB.CCC.DDD:55006 -> AAA.BBB.CCC.DDD:80 TCP TTL:59 TOS:0x0 ID:37649
IpLen:20 DgmLen:52 DF
***A**** Seq: 0x177AABF9 Ack: 0xD967D4DA Win: 0x225 TcpLen: 32
TCP Options (3) => NOP NOP WARNING: No preprocessors configured for policy
0.
TS: 21194506 968768806
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
04/27-14:26:58.367489 2C:B6:93:04:AB:12 -> 00:09:0F:09:00:02 type:0x8100
len:0x5EE
AAA.BBB.CCC.DDD:80 -> AAA.BBB.CCC.DDD:46114 TCP TTL:58 TOS:0x0 ID:38162
IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8F1D3067 Ack: 0x9416E66E Win: 0x528 TcpLen: 32
TCP Options (3) => NOP NOP WARNING: No preprocessors configured for policy
0.
TS: 2341720768 21194499
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[ ... ]
On Mon, Apr 27, 2015 at 1:56 PM, Jose Vila <[email protected]> wrote:
> Hello Luca and Alfredo,
>
> Thanks for your answers.
>
> I'm going to install the svn version this afternoon.
>
> Meanwhile, i tried using the zc interface, but same error occured:
>
>
> *# /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq
> pfring_zc -i zc:eth4 -v -e*
> Running in packet dump mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> pfring_zc DAQ configured to passive.
> ERROR: Can't initialize DAQ pfring_zc (-1) -
> Fatal Error, Quitting..
>
> *# /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq
> pfring_zc --daq-var clusterid=99 -i zc:eth4 -v -e*
> Running in packet dump mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> pfring_zc DAQ configured to passive.
> ERROR: Can't initialize DAQ pfring_zc (-1) -
> Fatal Error, Quitting..
>
>
> On Mon, Apr 27, 2015 at 12:02 PM, Alfredo Cardigliano <
> [email protected]> wrote:
>
>> Hi Jose
>> please update the code from svn (we improved error reporting), and re-run
>> your command using “zc:eth4” as Luca said.
>>
>> Alfredo
>>
>> On 27 Apr 2015, at 11:41, Luca Deri <[email protected]> wrote:
>>
>> Jose,
>> for using zc you need to use device “zc:eth4”. I am not sure you need the
>> cluster parameter
>>
>> Luca
>>
>>
>> On 27 Apr 2015, at 11:36, Jose Vila <[email protected]> wrote:
>>
>> Hello,
>>
>> I've installed PF_RING from the ntop repository, and compiled snort + daq
>> + pfring daq from source, but have problems to run snort ...
>>
>> I can run zcount and it gives good statistics on traffic rate:
>>
>> # zcount -i eth4 -c 99
>> =========================
>> Absolute Stats: 120'907 pkts (0 drops) - 89'395'069 bytes
>> =========================
>>
>> =========================
>> Absolute Stats: 249'119 pkts (0 drops) - 185'193'671 bytes
>> Actual Stats: 128'178.92 pps (0.00 drops) - 0.77 Gbps
>> =========================
>>
>> =========================
>> Absolute Stats: 328'063 pkts (0 drops) - 243'939'955 bytes
>> Actual Stats: 127'437.35 pps (0.00 drops) - 0.76 Gbps
>> =========================
>> [ ... ]
>>
>> But Snort execution fails (same error with pfring and pfring_zc daq):
>>
>> # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq
>> pfring_zc --daq-var clusterid=99 -i eth4 -v -e
>> Running in packet dump mode
>>
>> --== Initializing Snort ==--
>> Initializing Output Plugins!
>> pfring_zc DAQ configured to passive.
>> ERROR: Can't initialize DAQ pfring_zc (-1) -
>> Fatal Error, Quitting..
>>
>> If I list the loaded daqs both pfring and pfring_zc exist:
>>
>> # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq-list
>> Available DAQ modules:
>> pfring(v1): live inline multi unpriv
>> pfring_zc(v10): live inline multi unpriv
>> pcap(v3): readback live multi unpriv
>> ipfw(v3): live inline multi unpriv
>> dump(v2): readback live inline multi unpriv
>> afpacket(v5): live inline multi unpriv
>>
>> The NIC is a 10g intel nic with ixgbe driver. Hugepages are correctly
>> configured.
>>
>> Am i missing something here?
>>
>> Thank you very much.
>>
>> FYI, installed packages:
>>
>> # yum list installed | grep ntop
>> e1000e-zc.noarch 3.0.4.1-1dkms @ntop-noarch
>> igb-zc.noarch 5.2.5-1dkms @ntop-noarch
>> ixgbe-zc.noarch 3.22.3-1dkms @ntop-noarch
>> pfring.x86_64 6.0.3-8637 @ntop
>> pfring-dkms.noarch 6.0.3-dkms @ntop-noarch
>> pfring-drivers-zc-dkms.noarch 1.0-0 @ntop-noarch
>>
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> [email protected]
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> [email protected]
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> [email protected]
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>
>
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
