Support #889
closedPF_RING not enabled error when starting Suricata
Description
Installed on a fresh 12.04.2 machine following directions here:
suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow c /usr/local/etc/suricata/suricata.yaml 13:40:31 - (suricata.c:850) <Error> (main) -- [ERRCODE: SC_ERR_NO_PF_RING(30)] - PF_RING not enabled. Make sure to pass --enable-pfring to configure when building.
[20888] 20/7/2013 -
Is there some command I could issue if necessary to clean or clear anything in the existing installation, followed by repeating a particular one of the configure and make (and make install?) commands on that page?
suricata runs OK when started without pfring.
Updated by Peter Manev over 11 years ago
Hi,
1) What is the output of
suricata --build-info
It will tell you if it is compiled with pf_ring or not.
2) Then what is the output of your
modinfo pf_ring && cat /proc/net/pf_ring/info
3) What was your configure line and did you point to the correct pf_ring directories ?
thanks
Updated by April Lorenzen over 11 years ago
BUILD INFO
suricata --build-info This is Suricata version 2.0dev (rev 149d2a0) Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK 64-bits, Little-endian architecture GCC version 4.6.3, C version 199901 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 compiled with -fstack-protector compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 compiled with LibHTP v0.5.5, linked against LibHTP v0.5.5 Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: no IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: no libnss support: no libnspr support: no libjansson support: no Prelude support: no PCRE jit: no libluajit: no libgeoip: no Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: no Profiling locks enabled: no Generic build parameters: Installation prefix (--prefix): /usr/local Configuration directory (--sysconfdir): /usr/local/etc/suricata/ Log directory (--localstatedir) : /usr/local/var/log/suricata/ Host: x86_64-unknown-linux-gnu GCC binary: gcc GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no
MOD INFO
modinfo pf_ring && cat /proc/net/pf_ring/info filename: /lib/modules/3.5.0-23-generic/kernel/net/pf_ring/pf_ring.ko alias: net-pf-27 description: Packet capture acceleration and analysis author: Luca Deri <deri@ntop.org> license: GPL srcversion: B92A53FCC28C1503CEAAA94 depends: vermagic: 3.5.0-23-generic SMP mod_unload modversions parm: min_num_slots:Min number of ring slots (uint) parm: perfect_rules_hash_size:Perfect rules hash size (uint) parm: transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint) parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint) parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint) parm: enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint) parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint) parm: quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint) PF_RING Version : 5.6.1 ($Revision: exported$) Total rings : 0 Standard (non DNA) Options Ring slots : 4096 Slot version : 15 Capture TX : Yes [RX+TX] IP Defragment : No Socket Mode : Standard Transparent mode : Yes [mode 0] Total plugins : 0 Cluster Fragment Queue : 0 Cluster Fragment Discard : 0
CONFIGURE LINE:
./configure --enable-pfring --with-libpfring-includes=/usr/local/pfring/include --with-libpfring-libraries=/usr/local/pfring/lib --with-libpcap-includes=/usr/local/pfring/include --with-libpcap-libraries=/usr/local/pfring/lib
pf_ring DIRECTORIES
Same paths in the configure line are verified to exist:
ls -lthr /usr/local/pfring/include
total 36K
-rw-r--r-- 1 root root 20K Jul 19 22:25 pfring.h
-rw-r--r-- 1 root root 2.3K Jul 19 22:25 pcap.h
-rw-r--r-- 1 root root 2.1K Jul 19 22:25 pcap-namedb.h
-rw-r--r-- 1 root root 2.4K Jul 19 22:25 pcap-bpf.h
drwxr-xr-x 2 root root 4.0K Jul 19 22:25 pcap
ls -lthr /usr/local/pfring/lib
total 1.2M
-rw-r--r-- 1 root root 235K Jul 19 22:25 libpfring.a
-rwxr-xr-x 1 root root 173K Jul 19 22:25 libpfring.so
-rwxr-xr-x 1 root root 383K Jul 19 22:25 libpcap.so.1.1.1
lrwxrwxrwx 1 root root 16 Jul 19 22:25 libpcap.so.1 -> libpcap.so.1.1.1
lrwxrwxrwx 1 root root 12 Jul 19 22:25 libpcap.so -> libpcap.so.1
-rw-r--r-- 1 root root 394K Jul 19 22:25 libpcap.a
HISTORY FROM INSTALL:
Note that at one point I saw 2 errors about permission denied to get-version.sh. I then chmod a+x that file and repeated the step I thought that error happened during, and those after.
8 sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev z
lib1g zlib1g-dev libcap-ng-dev libcap-ng0 make flex bison git subversion libmagic-dev
9 pwd
10 mkdir installstuff 11 cd installstuff
12 svn export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ pfring-svn-latest
13 cd pfring-svn-latest/kernel
14 make && sudo make install
15 cd ../userland/lib
16 ./configure --prefix=/usr/local/pfring && make && sudo make install
17 cd ../libpcap-1.1.1-ring
18 ./configure --prefix=/usr/local/pfring && make && sudo make install
19 cd ../tcpdump-4.1.1
20 ./configure --prefix=/usr/local/pfring && make && sudo make install
21 sudo ldconfig
22 sudo modprobe pf_ring
23 modinfo pf_ring && cat /proc/net/pf_ring/info
24 cd ~/installstuff/ 25 git clone git://phalanx.openinfosecfoundation.org/oisf.git
26 cd oisf
27 git clone https://github.com/ironbee/libhtp.git -b 0.5.x
28 ./autogen.sh
29 ./configure --enable-pfring --with-libpfring-includes=/usr/local/pfring/include --with-libpfring-libraries=/usr/local/pfring/lib --with-libpcap-includ
es=/usr/local/pfring/include --with-libpcap-libraries=/usr/local/pfring/lib
30 make
31 sudo make install
32 sudo ldconfig
33 LD_LIBRARY_PATH=/usr/local/pfring/lib suricata --build-info
34 ls *.sh
35 updatedb
36 locate get-version.sh
37 ls -lthr /home/ubuntu/installstuff/oisf/libhtp/get-version.sh
38 chmod a+x /home/ubuntu/installstuff/oisf/libhtp/get-version.sh
39 /home/ubuntu/installstuff/oisf/libhtp/get-version.sh
40 ls
41 ./autogen.sh
42 ./configure --enable-pfring --with-libpfring-includes=/usr/local/pfring/include --with-libpfring-libraries=/usr/local/pfring/lib --with-libpcap-includes=/usr/local/pfring/include --with-libpcap-libraries=/usr/local/pfring/lib
43 make
44 sudo make install
45 sudo ldconfig
46 LD_LIBRARY_PATH=/usr/local/pfring/lib suricata --build-info
47 vi /etc/ld.so.conf.d/pfring.conf
48 sudo ldconfig
49 suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
50 ./configure && make && make install-full
51 ps auxfwww1
52 updatedb
53 locate yaml
54 vi /usr/local/etc/suricata/suricata.yaml
Updated by Peter Manev over 11 years ago
I just repeated the steps in the guide with the latest git master ->
root@suricata:~# suricata --build-info This is Suricata version 2.0dev (rev 055b422) Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LUAJIT HAVE_LIBJANSSON PROFILING 64-bits, Little-endian architecture GCC version 4.6.3, C version 199901 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 compiled with -fstack-protector compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 compiled with LibHTP v0.5.5, linked against LibHTP v0.5.5 Suricata Configuration: AF_PACKET support: yes PF_RING support: yes
no problem running suricata.
root@suricata:~# modinfo pf_ring && cat /proc/net/pf_ring/info filename: /lib/modules/3.2.0-39-generic/kernel/net/pf_ring/pf_ring.ko alias: net-pf-27 description: Packet capture acceleration and analysis author: Luca Deri <deri@ntop.org> license: GPL srcversion: E2DAD5EBB12A26D71806A1D depends: vermagic: 3.2.0-39-generic SMP mod_unload modversions parm: min_num_slots:Min number of ring slots (uint) parm: perfect_rules_hash_size:Perfect rules hash size (uint) parm: transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint) parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint) parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint) parm: enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint) parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint) parm: quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint) PF_RING Version : 5.6.1 ($Revision: exported$) Total rings : 16 Standard (non DNA) Options Ring slots : 4096 Slot version : 15 Capture TX : Yes [RX+TX] IP Defragment : No Socket Mode : Standard Transparent mode : Yes [mode 0] Total plugins : 0 Cluster Fragment Queue : 32764 Cluster Fragment Discard : 2211620785 root@suricata:~#
Could the case be that there are multiple installations of suricata ? (/usr/local/bin/suricata , /usr/bin/suricata.. ) ?
In your configure line it clearly says that pf_ring is not enabled.
Updated by Peter Manev over 11 years ago
I meant it clearly it clearly says that pf_ring is not enabled in your "suricata --build-info" line , not your "configure line".
Updated by April Lorenzen over 11 years ago
updatedb locate suricata|grep "suricata$" /home/ubuntu/installstuff/oisf/src/suricata /home/ubuntu/installstuff/oisf/src/.libs/suricata /usr/local/bin/suricata /usr/local/etc/suricata /usr/local/share/doc/suricata /usr/local/var/log/suricata /usr/local/var/run/suricata
I don't see multiple installations represented there. I am happy to do any steps of clean or removal and follow any suggested steps for installation.
Before carrying out another install procedure I should mention that I also need support for "Interacting via Unix Socket" which it appears I missed as well, which would be my fault for not having the pre-requisite that is supposed to cause it to automatically be included.
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Interacting_via_Unix_Socket
"If libjansson is present on the system , unix socket will be compiled in automatically - when you use "--enable-unix-socket" in your configure line."
I did ask for unix socket support during the existing install but didn't have libjansson then. I have installed it now tho.
Updated by Peter Manev over 11 years ago
I would suggest use "find" to locate Suricata files.
Then you could try removing the Suricata binary and repeating the installation from scratch - see if you can reproduce the issue.
thanks
Updated by April Lorenzen over 11 years ago
I followed your suggestion and it works now with pfring support and unix socket support.
I don't see a close button to close this issue?
Thanks,
- April