Snort mailing list archives

Re: Seg fault with latest pf_ring git

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 01 Nov 2016 13:19:35 -0600

Thanks YM....you're willingness to help always impresses me :)  As for 
pf_ring, this was just a git pull...which...is apparently like..uber 
fresh:

commit aa5bf8f7d0662d411465895b8ee8fe8935084a6f
Author: Luca Deri <deri () ntop org>
Date:   Tue Nov 1 10:53:58 2016 +0100

This is just a dev box, so I can wait until it's fixed...oddly, suricata 
tests fine:

/opt/suricata/etc/suricata$] sudo suricata --pfring-int=eth0 
--pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -T -c 
/opt/suricata/etc/suricata/suricata.yaml
1/11/2016 -- 12:13:38 - <Info> - Running suricata under test mode
1/11/2016 -- 12:13:38 - <Notice> - This is Suricata version 3.1.3 
RELEASE
1/11/2016 -- 12:13:47 - <Notice> - Configuration provided was 
successfully loaded. Exiting.


pfring config steps:

git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel
make
sudo make install

cd ../userland/lib
./configure --prefix=/opt/pfring
sudo make install

cd ../libpcap
./configure --prefix=/opt/pfring
sudo make install

cd ../tcpdump
./configure --prefix=/opt/pfring
sudo make install

cd ../userland/snort/pfring-daq-module
autoreconf -ivf
./configure --with-libpfring-includes=/opt/pfring/include 
--with-libpfring-libraries=/opt/pfring/lib
make
sudo cp .libs/daq_pfring.so /usr/local/lib/daq/

modprobe pf_ring enable_tx_capture=1 min_num_slots=32768

snort config line:
./configure --prefix=/opt/snort --enable-non-ether-decoders 
--enable-sourcefire --enable-shared-rep --enable-control-socket 
--enable-open-appid --with-libpcap-includes=/opt/pfring/include 
--with-libpcap-libraries=/opt/pfring/lib 
--with-libpfring-includes=/opt/pfring/include 
--with-libpfring-libraries=/opt/pfring/lib

Thanks again.

James

On 2016-11-01 12:44, Y M wrote:

A long shot at this, but were all the pf_ring modules (driver,
kernel, pfring libpcap, pfring daq) compiled and installed from the
recent source? If you revert back to the stable version (apt/yum
install), does it work? You can also try uninstalling then make clean
and make distclean, and recompile again.

YM
-------------------------

FROM: James Lay <jlay () slave-tothe-box net>
SENT: Tuesday, November 1, 2016 9:03:38 PM
TO: Snort
SUBJECT: [Snort-users] Seg fault with latest pf_ring git

Topic says it.  Config test run:

sudo snort --daq-dir=/usr/local/lib/daq --daq pfring  -T -c
/opt/snort/etc/snort.conf

backtrace:

#0  0x00007ffff6b681a8 in pfring_get_card_settings () from
/opt/pfring/lib/libpcap.so.1
#1  0x00007fffb626cf47 in pfring_daq_initialize (config=<optimized
out>,
ctxt_ptr=0xf109d0 <daq_hand>, errbuf=0x7fffffffe3c0 "", len=256) at
daq_pfring.c:491
#2  0x0000000000464050 in DAQ_Config (cfg=0x7fffffffe4f0) at
sfdaq.c:515
#3  0x0000000000464183 in DAQ_New (sc=0x16879f0, intf=0x557e05 "") at
sfdaq.c:553
#4  0x000000000043ba5d in SnortMain (argc=7, argv=0x7fffffffe678) at
snort.c:875
#5  0x000000000043b9b3 in main (argc=7, argv=0x7fffffffe678) at
snort.c:836

sudo snort --daq-dir=/usr/local/lib/daq --daq-list
Available DAQ modules:
pfring(v1): live inline multi unpriv
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

Not sure of my next step.

James

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Seg fault with latest pf_ring git James Lay (Nov 01)
- Re: Seg fault with latest pf_ring git Y M (Nov 01)
  - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git Y M (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git Y M (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git Michael Altizer (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git Michael Altizer (Nov 02)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 02)