Getting PF_RING to work on a vanilla driver with Snort

[Dheeraj Gupta <dheeraj.gupta4 () gmail com>]

Hi,
I am trying to get PF_RING DAQ running for my Snort instance. I downloaded
the PF_RING-5.6.0 tarfile (As listed on Snort External DAQ page) and
followed the instructions to install PF_RING. In a nutshell
1. Unzip the directory and change to it
2. Run make
3. Goto kernel/ and lib/ and run make install
4. This installed the pf_ring.ko kernel module and loaded it with
transparent_mode=0

Next I changed to userland/snort/pfring-daq-module and followed the
instructions
1. autoreconf -ivf
2. /configure
3. make
4. make install

Now I can see the daq_pfring.la and daq_pfring.so under /usr/local/lib/daq.

To test snort I did
snort --daq-dir=/usr/local/lib/daq/ --daq=pfring --daq-mode passive -v

But it showed ZERO packets captured.
However, running the pfcount (pfcount -i eth1 or pfcount -lpfring -i eth1)
example application (from PF_RING) shows packets being captured

Some outputs
# lsmod | grep pf_ring
pf_ring               405158  0

# cat /proc/net/pf_ring/info
PF_RING Version          : 5.6.0 ($Revision: exported$)
Total rings              : 0

Standard (non DNA) Options
Ring slots               : 4096
Slot version             : 15
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Transparent mode         : Yes [mode 0]
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

# cat /proc/net/pf_ring/dev/eth1/info
Name:              eth1
Index:             3
Address:           00:25:90:0B:CE:C1
Polling Mode:      NAPI/TNAPI
Type:              Ethernet
Family:            Standard NIC
# Bound Sockets:   0
Max # TX Queues:   1
# Used RX Queues:  1

(This when Snort is not running)

I also tried to uninstall snort and reconfigure with --with-libpfring-...
options. The configurations went OK but in the config messages the message
"Checking for pfring.h" was NOT shown.

What am I doing wrong?

Dheeraj

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!