Hi Luke, I have already seen this behavior with another tool (with ntop actually).
What I discovered was that when the program started, it created the ring before doing the fork to detach from the terminal. Thus the PID in /proc/net/pf_ring was from the launcher before the fork and the PID seen with « ps » was from the newly forked process. Regards, Olivier > Le 18 nov. 2015 à 17:41, Luke Whitworth <[email protected]> a > écrit : > > Hi all, > > I'm using the latest pf_ring package from the ntop repo on RHEL 6.7 to power > a snort monitor. All working fine but for one slightly strange issue. When > Snort (Version 2.9.7.6 GRE (Build 285)) is started from the standard > /etc/init.d/snort service file it starts fine, uses pf_ring, but the file > name in /proc/net/pf_ring doesn't correspond to the pid that is created by > the snort service, e.g. > > [root@snort ~]# ps aux | grep snort > snort 2202 0.0 18.5 542696 188996 ? Ssl 16:36 0:00 > /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c > /etc/snort/snort.conf -l /var/log/snort > > [root@snort ~]# ls -l /proc/net/pf_ring/ > total 0 > -r--r--r-- 1 root root 0 Nov 18 16:36 2185-eth0.36 > dr-xr-xr-x 5 root root 0 Nov 18 16:36 dev > -r--r--r-- 1 root root 0 Nov 18 16:36 info > -r--r--r-- 1 root root 0 Nov 18 16:36 plugins_info > dr-xr-xr-x 2 root root 0 Nov 18 16:36 stats > > So daemon pid is 2202, pf_ring is showing 2185-eth0.36. Starting and > stopping the service dutifully changes both numbers. > > Any ideas? > > Cheers, > > Luke > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
