Ho Jose did you load our ZC drivers? Alfredo
> On 27 Apr 2015, at 14:30, Jose Vila <[email protected]> wrote: > > Hello again, > > I recompiled the following from SVN: pf_ring kernel module, pf_ring library, > libpcap, daq and pfring_daq_zc. > > Now executing snort with the zc interface throws an error: > > # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc > --daq-var clusterid=99 -i zc:eth4 -v -e > Running in packet dump mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > pfring_zc DAQ configured to passive. > ERROR: Can't initialize DAQ pfring_zc (-1) - pfring_zc_open_device(): unable > to open device 'zc:eth4' (RX) > Fatal Error, Quitting.. > > But executing without zc interface seems to work. > > # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc > --daq-var clusterid=99 -i eth4 -v -e > Running in packet dump mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > pfring_zc DAQ configured to passive. > Acquiring network traffic from "eth4". > > --== Initialization Complete ==-- > > ,,_ -*> Snort! <*- > o" )~ Version 2.9.7.2 GRE (Build 177) > '''' By Martin Roesch & The Snort Team: > http://www.snort.org/contact#team <http://www.snort.org/contact#team> > Copyright (C) 2014 Cisco and/or its affiliates. All rights > reserved. > Copyright (C) 1998-2013 Sourcefire, Inc., et al. > Using libpcap version 1.6.2 > Using PCRE version: 7.8 2008-09-05 > Using ZLIB version: 1.2.3 > > Commencing packet processing (pid=12146) > Decoding Ethernet > WARNING: No preprocessors configured for policy 0. > 04/27-14:26:58.367470 00:09:0F:09:00:02 -> 00:00:5E:00:01:42 type:0x800 > len:0x42 > AAA.BBB.CCC.DDD:55006 -> AAA.BBB.CCC.DDD:80 TCP TTL:59 TOS:0x0 ID:37649 > IpLen:20 DgmLen:52 DF > ***A**** Seq: 0x177AABF9 Ack: 0xD967D4DA Win: 0x225 TcpLen: 32 > TCP Options (3) => NOP NOP WARNING: No preprocessors configured for policy 0. > TS: 21194506 968768806 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 04/27-14:26:58.367489 2C:B6:93:04:AB:12 -> 00:09:0F:09:00:02 type:0x8100 > len:0x5EE > AAA.BBB.CCC.DDD:80 -> AAA.BBB.CCC.DDD:46114 TCP TTL:58 TOS:0x0 ID:38162 > IpLen:20 DgmLen:1500 DF > ***A**** Seq: 0x8F1D3067 Ack: 0x9416E66E Win: 0x528 TcpLen: 32 > TCP Options (3) => NOP NOP WARNING: No preprocessors configured for policy 0. > TS: 2341720768 21194499 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > [ ... ] > > > > On Mon, Apr 27, 2015 at 1:56 PM, Jose Vila <[email protected] > <mailto:[email protected]>> wrote: > Hello Luca and Alfredo, > > Thanks for your answers. > > I'm going to install the svn version this afternoon. > > Meanwhile, i tried using the zc interface, but same error occured: > > > # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc -i > zc:eth4 -v -e > Running in packet dump mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > pfring_zc DAQ configured to passive. > ERROR: Can't initialize DAQ pfring_zc (-1) - > Fatal Error, Quitting.. > > # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc > --daq-var clusterid=99 -i zc:eth4 -v -e > Running in packet dump mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > pfring_zc DAQ configured to passive. > ERROR: Can't initialize DAQ pfring_zc (-1) - > Fatal Error, Quitting.. > > > On Mon, Apr 27, 2015 at 12:02 PM, Alfredo Cardigliano <[email protected] > <mailto:[email protected]>> wrote: > Hi Jose > please update the code from svn (we improved error reporting), and re-run > your command using “zc:eth4” as Luca said. > > Alfredo > >> On 27 Apr 2015, at 11:41, Luca Deri <[email protected] <mailto:[email protected]>> >> wrote: >> >> Jose, >> for using zc you need to use device “zc:eth4”. I am not sure you need the >> cluster parameter >> >> Luca >> >> >>> On 27 Apr 2015, at 11:36, Jose Vila <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hello, >>> >>> I've installed PF_RING from the ntop repository, and compiled snort + daq + >>> pfring daq from source, but have problems to run snort ... >>> >>> I can run zcount and it gives good statistics on traffic rate: >>> >>> # zcount -i eth4 -c 99 >>> ========================= >>> Absolute Stats: 120'907 pkts (0 drops) - 89'395'069 bytes >>> ========================= >>> >>> ========================= >>> Absolute Stats: 249'119 pkts (0 drops) - 185'193'671 bytes >>> Actual Stats: 128'178.92 pps (0.00 drops) - 0.77 Gbps >>> ========================= >>> >>> ========================= >>> Absolute Stats: 328'063 pkts (0 drops) - 243'939'955 bytes >>> Actual Stats: 127'437.35 pps (0.00 drops) - 0.76 Gbps >>> ========================= >>> [ ... ] >>> >>> But Snort execution fails (same error with pfring and pfring_zc daq): >>> >>> # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq pfring_zc >>> --daq-var clusterid=99 -i eth4 -v -e >>> Running in packet dump mode >>> >>> --== Initializing Snort ==-- >>> Initializing Output Plugins! >>> pfring_zc DAQ configured to passive. >>> ERROR: Can't initialize DAQ pfring_zc (-1) - >>> Fatal Error, Quitting.. >>> >>> If I list the loaded daqs both pfring and pfring_zc exist: >>> >>> # /usr/local/snort/bin/snort --daq-dir /usr/local/lib/daq/ --daq-list >>> Available DAQ modules: >>> pfring(v1): live inline multi unpriv >>> pfring_zc(v10): live inline multi unpriv >>> pcap(v3): readback live multi unpriv >>> ipfw(v3): live inline multi unpriv >>> dump(v2): readback live inline multi unpriv >>> afpacket(v5): live inline multi unpriv >>> >>> The NIC is a 10g intel nic with ixgbe driver. Hugepages are correctly >>> configured. >>> >>> Am i missing something here? >>> >>> Thank you very much. >>> >>> FYI, installed packages: >>> >>> # yum list installed | grep ntop >>> e1000e-zc.noarch 3.0.4.1-1dkms @ntop-noarch >>> igb-zc.noarch 5.2.5-1dkms @ntop-noarch >>> ixgbe-zc.noarch 3.22.3-1dkms @ntop-noarch >>> pfring.x86_64 6.0.3-8637 @ntop >>> pfring-dkms.noarch 6.0.3-dkms @ntop-noarch >>> pfring-drivers-zc-dkms.noarch 1.0-0 @ntop-noarch >>> >>> >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] <mailto:[email protected]> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> > > _______________________________________________ > Ntop-misc mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
