Yup, bro is liked to the correct libpcap in /opt/pfring/lib and yes, my
node.cfg looks like this:
[manager]
type=manager
host=192.168.1.120
interface=enp10s0f0
[proxy-1]
type=proxy
host=192.168.1.120
interface=enp10s0f0
[worker-1]
type=worker
host=192.168.1.120
interface=enp10s0f0
lb_method=pf_ring
lb_procs=2
I still get the kernel panic whenever I do this:
1. cd /opt/bro/bin
2. sudo ./broctl
3. install
4. check
5. (all returns with okay here)
6. start
7. and immediately, i get a kernel panic
If run the PF_RING tcpdump-4.1.1:
1. cd /opt/pfring/sbin
2. sudo ./tcpdump
3. and immediately, i get a kernel panic
But if I run one of the example programs included with the PF_RING source:
1. cd ~/PF_RING/userland/examples
2. sudo ./pfcount -i enp10s0f0
1. it runs fine and starts dumping stats
3. sudo ./pfsend -i enp10s0f0 -f ~/file.pcap
1. starts sending packets from the pcap
4. And the pfcount program displays stats according to what pfsend is
sending out.
If I do "ldd pfsend" or "ldd pfcount", I see no links to libpcap-1.6.2 from
PF_RING, which leads me to believe its an error with the libpcap that
PF_RING includes not liking my system.
Thanks,
Neel
On Thu, Jun 18, 2015 at 11:11 AM, Jan Grashofer <[email protected]>
wrote:
> Did you validate that Bro uses the correct lib (see step 5: ldd
> /usr/local/bro/bin/bro | grep pcap) and did you configure Bro to use
> PF_RING (lb_method, lb_procs)?
>
>
>
> Regards,
>
> Jan
>
>
> ------------------------------
> *From:* [email protected] [
> [email protected]] on behalf of Neel Shah [[email protected]]
> *Sent:* Thursday, June 18, 2015 16:43
> *To:* [email protected]
> *Subject:* Re: [Ntop] PF_RING causes kernel panic
>
> I'm not too familiar with what you're asking. The only configuration
> with Bro that I did was in the bro/etc/network.cfg and bro/etc/node.cfg. I
> made sure that Bro was working with the proper interface, in my case it is
> enp10s0f0, and made sure that the subnet that it worked with was proper
> too, 192.168.1.0/24.
>
> I'm not using zero-copy or dna. And if I run multiple queues on the NIC
> with the example programs, there's no problem at all!
>
> Thank you,
> Neel
>
> On Thu, Jun 18, 2015 at 10:34 AM, Jan Grashofer <[email protected]>
> wrote:
>
>> How did you configure Bro and the NIC driver? I experienced a kernel
>> oops with a driver config using multiple queues on the NIC together with
>> zero copy.
>>
>>
>>
>> Regards,
>>
>> Jan
>>
>> ------------------------------
>> *From:* [email protected] [
>> [email protected]] on behalf of Neel Shah [[email protected]
>> ]
>> *Sent:* Thursday, June 18, 2015 16:24
>> *To:* [email protected]
>> *Subject:* [Ntop] PF_RING causes kernel panic
>>
>> Hey,
>>
>> I am having some issues getting PF_RING to work with Bro 2.4.
>>
>> PF_RING version: 6.1.1
>> OS: CentOS 7
>> Kernel: 3.10.0-229.4.2.el7.x86_64
>> Bro: 2.4
>> 12Gb RAM
>> 4 core Intel Xeon 5110 1.6Ghz
>> Dell Poweredge 2950
>> Intel e1000e NIC
>>
>> To install, I got the dependencies via yum and then in the PF_RING
>> directory, I ran these commands:
>>
>> 1. cd kernel
>> 2. ./configure
>> 3. sudo make -f Makefile.dkms rpm
>> 4. cd ../userland
>> 5. cd lib
>> 6. ./configure --prefix=/opt/pfring
>> 7. make && sudo make install
>> 8. ../libpcap
>> 9. ./configure --prefix=/opt/pfring
>> 10. make && sudo make install
>> 11. cd ../tcpdump-4.1.1
>> 12. ./configure --prefix=/opt/pfring
>> 13. make && sudo make install
>> 14. sudo vim /etc/ld.so.conf.d/pfring.conf
>> 1. add the line /opt/pfring/lib
>> 15. sudo ldconfig
>> 16. sudo modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
>>
>> After that, if I try to run tcpdump, I get a null pointer dereference in
>> the kernel, then it kernel panics and crashes immediately.
>>
>> I even tried installing Bro with the steps on the Bro site (
>> https://www.bro.org/documentation/load-balancing.html)
>>
>> After installing Bro, I get a kernel panic if I start it.
>>
>> If I run the example software included with PF_RING such as
>> pfcount/pfsend/etc.. I get no errors. As soon as I run an application that
>> depends on the libpcap (1.1.1 or 1.6.2), I immediately get a kernel panic.
>>
>> I also tried to install the e1000e driver provided in the PF_RING source
>> as well with no luck.
>>
>> I don't really know what else to try! If someone has experience or
>> wants to help me debug, I would really really appreciate that!
>>
>> Thanks in advance!
>>
>> --
>> Neel Shah
>>
>>
>> _______________________________________________
>> Ntop mailing list
>> [email protected]
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>
>
>
> --
> Neel Shah
> B.S. in Computer Science and Minor in Systems Engineering
> The George Washington University Class of 2017
> [email protected]
> _____________________________________________
>
> Here is a link to my public key <http://www.shah7.com/pgp.txt>
>
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
--
Neel Shah
B.S. in Computer Science and Minor in Systems Engineering
The George Washington University Class of 2017
[email protected]
_____________________________________________
Here is a link to my public key <http://www.shah7.com/pgp.txt>
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
