Snort mailing list archives
No packets are captured on Debian6 in mode 1 or 2
From: Nelo Belda <nbelda () gmail com>
Date: Tue, 4 Oct 2011 13:56:49 +0200
I'm trying to install PF_RING on Debian 6 to use it with Snort. I've followed many guides and posts but I wasn't able to load it properly. Installation was fine (no errors at compilation or loading modules) or it seems so, and pf_ring in transparent mode 0 seems to work fine because snort received packets, but problems happen in transparent mode 1 and 2. When I load pf_ring with mode 0, tcpdump and pfcount read traffic so I can see statistics but when pf_ring is loaded in the other modes, none of these apps show anything. I paste some information about my device and other stuffs that could help. root@escila:~# cat /proc/net/pf_ring/info PF_RING Version : 5.1.0 ($Revision: $) Ring slots : 4096 Slot version : 13 Capture TX : No [RX only] IP Defragment : No Socket Mode : Standard Transparent mode : Yes (mode 1) Total rings : 0 Total plugins : 0 When I run pfcount Total rings shows "1". (it says to me it's working properly) root@escila:~# cat /proc/net/pf_ring/dev/eth2/info Name: eth2 Index: 28 Address: 98:4B:E1:67:4E:D0 Polling Mode: NAPI/TNAPI Type: Ethernet Family: Standard NIC # Bound Sockets: 0 Max # TX Queues: 8 # Used RX Queues: 8 When I run pfcount Bound sockets shows "1". (it says to me it's working properly) root@escila:~# cat /proc/net/pf_ring/dev/eth2/info Name: eth2 Index: 28 Address: 98:4B:E1:67:4E:D0 Polling Mode: NAPI/TNAPI Type: Ethernet Family: Standard NIC # Bound Sockets: 1 Max # TX Queues: 8 # Used RX Queues: 8 root@escila:~# ethtool -i eth2 driver: bnx2 version: 2.0.23b firmware-version: bc 5.2.3 NCSI 2.0.6 bus-info: 0000:04:00.0 (Latest driver from Broadcom, later than PF_RING's, wich neither works) root@escila:~# /opt/PF_RING/userland/examples/pfcount -i eth2 -v Using PF_RING v.5.1.0 Capturing from eth2 [98:4B:E1:67:4E:D0] # Device RX channels: 8 # Polling threads: 1 ^C ^CLeaving... ========================= Absolute Stats: [0 pkts rcvd][0 pkts dropped] Total Pkts=0/Dropped=0.0 % 0 pkts - 0 bytes ========================= root@escila:~# lsmod Module Size Used by pf_ring 324435 0 bnx2 177366 0 less /var/log/messages ct 4 13:26:55 escila kernel: [93985.260867] ADDRCONF(NETDEV_UP): eth2: link is not ready Oct 4 13:26:58 escila kernel: [93987.751879] bnx2: eth2 NIC Copper Link is Up, 1000 Mbps full duplex, receive & transmit flow control ON Oct 4 13:26:58 escila kernel: [93987.753990] ADDRCONF(NETDEV_CHANGE): eth2: link becomes ready Oct 4 13:27:32 escila kernel: [94021.973810] NET: Unregistered protocol family 27 Oct 4 13:27:32 escila kernel: [94021.973817] [PF_RING] unloaded Oct 4 13:28:03 escila kernel: [94052.406725] [PF_RING] Welcome to PF_RING 5.1.0 ($Revision: $) Oct 4 13:28:03 escila kernel: [94052.406727] (C) 2004-11 L.Deri < deri () ntop org> Oct 4 13:28:03 escila kernel: [94052.406736] [PF_RING] registered /proc/net/pf_ring/ Oct 4 13:28:03 escila kernel: [94052.406738] NET: Registered protocol family 27 Oct 4 13:28:03 escila kernel: [94052.406749] [PF_RING] Min # ring slots 4096 Oct 4 13:28:03 escila kernel: [94052.406750] [PF_RING] Slot version 13 Oct 4 13:28:03 escila kernel: [94052.406752] [PF_RING] Capture TX No [RX only] Oct 4 13:28:03 escila kernel: [94052.406754] [PF_RING] Transparent Mode 1 Oct 4 13:28:03 escila kernel: [94052.406755] [PF_RING] IP Defragment No Oct 4 13:28:03 escila kernel: [94052.406757] [PF_RING] Initialized correctly Some tips or clues I could check? Thanks in advance
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- No packets are captured on Debian6 in mode 1 or 2 Nelo Belda (Oct 04)
- Re: No packets are captured on Debian6 in mode 1 or 2 Nelo Belda (Oct 04)