Re: No packets are captured on Debian6 in mode 1 or 2

[Nelo Belda <nbelda () gmail com>]

Sorry, I confused mailing list.

2011/10/4 Nelo Belda <nbelda () gmail com>

> I'm trying to install PF_RING on Debian 6 to use it with Snort. I've
> followed many guides and posts but I wasn't able to load it properly.
> Installation was fine (no errors at compilation or loading modules) or it
> seems so, and pf_ring in transparent mode 0 seems to work fine because snort
> received packets, but problems happen in transparent mode 1 and 2.
>
> When I load pf_ring with mode 0, tcpdump and pfcount read traffic so I can
> see statistics but when pf_ring is loaded in the other modes, none of these
> apps show anything.
>
> I paste some information about my device and other stuffs that could help.
>
> root@escila:~# cat /proc/net/pf_ring/info
> PF_RING Version     : 5.1.0 ($Revision: $)
> Ring slots          : 4096
> Slot version        : 13
> Capture TX          : No [RX only]
> IP Defragment       : No
> Socket Mode         : Standard
> Transparent mode    : Yes (mode 1)
> Total rings         : 0
> Total plugins       : 0
>
> When I run pfcount Total rings shows "1". (it says to me it's working
> properly)
>
> root@escila:~# cat /proc/net/pf_ring/dev/eth2/info
> Name:              eth2
> Index:             28
> Address:           98:4B:E1:67:4E:D0
> Polling Mode:      NAPI/TNAPI
> Type:              Ethernet
> Family:            Standard NIC
> # Bound Sockets:   0
> Max # TX Queues:   8
> # Used RX Queues:  8
>
> When I run pfcount Bound sockets shows "1". (it says to me it's working
> properly)
>
> root@escila:~# cat /proc/net/pf_ring/dev/eth2/info
> Name:              eth2
> Index:             28
> Address:           98:4B:E1:67:4E:D0
> Polling Mode:      NAPI/TNAPI
> Type:              Ethernet
> Family:            Standard NIC
> # Bound Sockets:   1
> Max # TX Queues:   8
> # Used RX Queues:  8
>
>
> root@escila:~# ethtool -i eth2
> driver: bnx2
> version: 2.0.23b
> firmware-version: bc 5.2.3 NCSI 2.0.6
> bus-info: 0000:04:00.0
>
> (Latest driver from Broadcom, later than PF_RING's, wich neither works)
>
>
> root@escila:~# /opt/PF_RING/userland/examples/pfcount -i eth2 -v
> Using PF_RING v.5.1.0
> Capturing from eth2 [98:4B:E1:67:4E:D0]
> # Device RX channels: 8
> # Polling threads:    1
> ^C
> ^CLeaving...
> =========================
> Absolute Stats: [0 pkts rcvd][0 pkts dropped]
> Total Pkts=0/Dropped=0.0 %
> 0 pkts - 0 bytes
> =========================
>
> root@escila:~# lsmod
> Module                  Size  Used by
> pf_ring               324435  0
> bnx2                  177366  0
>
> less /var/log/messages
> ct  4 13:26:55 escila kernel: [93985.260867] ADDRCONF(NETDEV_UP): eth2:
> link is not ready
> Oct  4 13:26:58 escila kernel: [93987.751879] bnx2: eth2 NIC Copper Link is
> Up, 1000 Mbps full duplex, receive & transmit flow control ON
> Oct  4 13:26:58 escila kernel: [93987.753990] ADDRCONF(NETDEV_CHANGE):
> eth2: link becomes ready
> Oct  4 13:27:32 escila kernel: [94021.973810] NET: Unregistered protocol
> family 27
> Oct  4 13:27:32 escila kernel: [94021.973817] [PF_RING] unloaded
> Oct  4 13:28:03 escila kernel: [94052.406725] [PF_RING] Welcome to PF_RING
> 5.1.0 ($Revision: $)
> Oct  4 13:28:03 escila kernel: [94052.406727] (C) 2004-11 L.Deri <
> deri () ntop org>
> Oct  4 13:28:03 escila kernel: [94052.406736] [PF_RING] registered
> /proc/net/pf_ring/
> Oct  4 13:28:03 escila kernel: [94052.406738] NET: Registered protocol
> family 27
> Oct  4 13:28:03 escila kernel: [94052.406749] [PF_RING] Min # ring slots
> 4096
> Oct  4 13:28:03 escila kernel: [94052.406750] [PF_RING] Slot version     13
> Oct  4 13:28:03 escila kernel: [94052.406752] [PF_RING] Capture TX       No
> [RX only]
> Oct  4 13:28:03 escila kernel: [94052.406754] [PF_RING] Transparent Mode 1
> Oct  4 13:28:03 escila kernel: [94052.406755] [PF_RING] IP Defragment    No
> Oct  4 13:28:03 escila kernel: [94052.406757] [PF_RING] Initialized
> correctly
>
>
>
> Some tips or clues I could check?
>
> Thanks in advance
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!