Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Getting PF_RING to work on a vanilla driver with Snort

From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Fri, 7 Mar 2014 13:39:37 +0530
OK I tried to install again but got the same result. When I run snort the
ring is formed but snort (DAQ) does not read from the ring. The daq so file
has

# ldd /usr/local/lib/daq/daq_pfring.so
    linux-vdso.so.1 =>  (0x00007fffee591000)
    libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007f1c140bf000)
    libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00007f1c13e98000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f1c13ae5000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f1c138c8000)
    libpfring.so => /usr/local/lib/libpfring.so (0x00007f1c136a3000)
    /lib64/ld-linux-x86-64.so.2 (0x00000035fd200000)

And when snort is running, the pfring stats are

$ cat /proc/net/pf_ring/6571-eth1.15
Bound Device(s)    : eth1
Active             : 1
Breed              : Non-DNA
Sampling Rate      : 1
Capture Direction  : RX+TX
Socket Mode        : RX only
Appl. Name         : snort-socket-0
IP Defragment      : No
BPF Filtering      : Disabled
# Sw Filt. Rules   : 0
# Hw Filt. Rules   : 0
Poll Pkt Watermark : 128
Num Poll Calls     : 0
Channel Id Mask    : 0xFFFFFFFF
Cluster Id         : 0
Slot Version       : 15 [5.6.0]
Min Num Slots      : 4872
Bucket Len         : 1514
Slot Len           : 1720 [bucket+header]
Tot Memory         : 8388608
Tot Packets        : 254
Tot Pkt Lost       : 0
Tot Insert         : 254
*Tot Read           : 0*
Insert Offset      : 154280
Remove Offset      : 0
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0
Num Free Slots     : 4618


As can be seen inserts are fine, but reads=0 which means PFRING DAQ does
not perform the reads. Any Ideas please?

Dheeraj

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: