Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

Compiling Snort against PF_RING fails

  

 
NTop misc RSS feed   Index | Next | Previous | View Threaded


chris.hellkvist at googlemail

May 2, 2012, 3:12 AM

Post #1 of 11 (1162 views)
Permalink
Compiling Snort against PF_RING fails
Hi list,

after i got TNAPI running i try to compile the current Snort version
(2.9.2.2) against PF_RING, but this fails:
./configure --with-libpcap-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib
--with-libpfring-includes=/usr/local/include
--with-libpfring-libraries=/usr/local/lib --enable-zlib
--enable-perfprofiling -enable-linux-smp-stats

ends up in:

checking for pcap_datalink in -lpcap... no
checking pfring.h usability... yes
checking pfring.h presence... yes
checking for pfring.h... yes
checking for pfring_open in -lpfring... no
checking for pfring_open in -lpcap... no

ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h)
not found, go get it from http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place. Also check if your libpcap depends on another
shared library that may be installed in an unusual place

The userland libs (pf_ring and libpcap) shipped with PF_RING are
installed on the machine:

~/snort-2.9.2.2$ ls -l /usr/local/lib/ | grep pcap
-rw-r--r-- 1 root root 401718 2012-05-02 11:58 libpcap.a
lrwxrwxrwx 1 root root 12 2012-05-02 11:58 libpcap.so -> libpcap.so.1
lrwxrwxrwx 1 root root 16 2012-05-02 11:58 libpcap.so.1 -> libpcap.so.1.1.1
-rwxr-xr-x 1 root root 363734 2012-05-02 11:58 libpcap.so.1.1.1
dth [at] ids-dus2-ded:~/snort-2.9.2.2$ ls -l /usr/local/lib/ | grep pfring
-rw-r--r-- 1 root root 174996 2012-05-02 11:53 libpfring.a
-rwxr-xr-x 1 root root 139603 2012-05-02 11:53 libpfring.so


~/snort-2.9.2.2$ ls -l /usr/local/include/
total 96
-rw-r--r-- 1 root root 4348 2012-04-27 12:41 daq_api.h
-rw-r--r-- 1 root root 6633 2012-04-27 12:41 daq_common.h
-rw-r--r-- 1 root root 3924 2012-04-27 12:41 daq.h
drwxr-xr-x 2 root root 4096 2012-05-02 11:58 pcap
-rw-r--r-- 1 root root 2393 2012-05-02 11:58 pcap-bpf.h
-rw-r--r-- 1 root root 2320 2012-05-02 11:58 pcap.h
-rw-r--r-- 1 root root 2125 2012-05-02 11:58 pcap-namedb.h
-rw-r--r-- 1 root root 17006 2012-05-02 11:53 pfring.h
-rw-r--r-- 1 root root 29739 2012-04-27 12:41 sfbpf_dlt.h
-rw-r--r-- 1 root root 6489 2012-04-27 12:41 sfbpf.h


Any ideas on that?

Thanks,
Chris
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

May 2, 2012, 3:20 AM

Post #2 of 11 (1125 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Chris,
you need to use the PF_RING DAQ module in PF_RING/userland/snort

Luca

On 05/02/2012 12:12 PM, Chris Hellkvist wrote:
> Hi list,
>
> after i got TNAPI running i try to compile the current Snort version
> (2.9.2.2) against PF_RING, but this fails:
> ./configure --with-libpcap-includes=/usr/local/include
> --with-libpcap-libraries=/usr/local/lib
> --with-libpfring-includes=/usr/local/include
> --with-libpfring-libraries=/usr/local/lib --enable-zlib
> --enable-perfprofiling -enable-linux-smp-stats
>
> ends up in:
>
> checking for pcap_datalink in -lpcap... no
> checking pfring.h usability... yes
> checking pfring.h presence... yes
> checking for pfring.h... yes
> checking for pfring_open in -lpfring... no
> checking for pfring_open in -lpcap... no
>
> ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h)
> not found, go get it from http://www.tcpdump.org
> or use the --with-libpcap-* options, if you have it installed
> in unusual place. Also check if your libpcap depends on another
> shared library that may be installed in an unusual place
>
> The userland libs (pf_ring and libpcap) shipped with PF_RING are
> installed on the machine:
>
> ~/snort-2.9.2.2$ ls -l /usr/local/lib/ | grep pcap
> -rw-r--r-- 1 root root 401718 2012-05-02 11:58 libpcap.a
> lrwxrwxrwx 1 root root 12 2012-05-02 11:58 libpcap.so -> libpcap.so.1
> lrwxrwxrwx 1 root root 16 2012-05-02 11:58 libpcap.so.1 -> libpcap.so.1.1.1
> -rwxr-xr-x 1 root root 363734 2012-05-02 11:58 libpcap.so.1.1.1
> dth [at] ids-dus2-ded:~/snort-2.9.2.2$ ls -l /usr/local/lib/ | grep pfring
> -rw-r--r-- 1 root root 174996 2012-05-02 11:53 libpfring.a
> -rwxr-xr-x 1 root root 139603 2012-05-02 11:53 libpfring.so
>
>
> ~/snort-2.9.2.2$ ls -l /usr/local/include/
> total 96
> -rw-r--r-- 1 root root 4348 2012-04-27 12:41 daq_api.h
> -rw-r--r-- 1 root root 6633 2012-04-27 12:41 daq_common.h
> -rw-r--r-- 1 root root 3924 2012-04-27 12:41 daq.h
> drwxr-xr-x 2 root root 4096 2012-05-02 11:58 pcap
> -rw-r--r-- 1 root root 2393 2012-05-02 11:58 pcap-bpf.h
> -rw-r--r-- 1 root root 2320 2012-05-02 11:58 pcap.h
> -rw-r--r-- 1 root root 2125 2012-05-02 11:58 pcap-namedb.h
> -rw-r--r-- 1 root root 17006 2012-05-02 11:53 pfring.h
> -rw-r--r-- 1 root root 29739 2012-04-27 12:41 sfbpf_dlt.h
> -rw-r--r-- 1 root root 6489 2012-04-27 12:41 sfbpf.h
>
>
> Any ideas on that?
>
> Thanks,
> Chris
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


chris.hellkvist at googlemail

May 2, 2012, 7:16 AM

Post #3 of 11 (1115 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Hi Luca,

2012/5/2 Luca Deri <deri [at] ntop>:
> Chris,
> you need to use the PF_RING DAQ module in PF_RING/userland/snort

on another machine i have built Snort using libpcap-dev that has been
shipped with the distribution. Everything (TNAPI/PF_RING) works now,
but starting Snort using the DAQ fails:
~# snort --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive
-i tnapi0 -v -e
Running in packet dump mode

--== Initializing Snort ==--
Initializing Output Plugins!
/usr/local/lib/daq/daq_pfring.so: dlopen:
/usr/local/lib/daq/daq_pfring.so: undefined symbol:
pfring_handle_hash_filtering_rule
ERROR: Can't find pfring DAQ!
Fatal Error, Quitting..

Hints?

Chris
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

May 2, 2012, 8:48 AM

Post #4 of 11 (1110 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Chris
are you using the PF_RING code from SVN? The missing API call is part of libpfring and it's strange that's behaving like that.
Luca

On May 2, 2012, at 4:16 PM, Chris Hellkvist wrote:

> Hi Luca,
>
> 2012/5/2 Luca Deri <deri [at] ntop>:
>> Chris,
>> you need to use the PF_RING DAQ module in PF_RING/userland/snort
>
> on another machine i have built Snort using libpcap-dev that has been
> shipped with the distribution. Everything (TNAPI/PF_RING) works now,
> but starting Snort using the DAQ fails:
> ~# snort --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive
> -i tnapi0 -v -e
> Running in packet dump mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> /usr/local/lib/daq/daq_pfring.so: dlopen:
> /usr/local/lib/daq/daq_pfring.so: undefined symbol:
> pfring_handle_hash_filtering_rule
> ERROR: Can't find pfring DAQ!
> Fatal Error, Quitting..
>
> Hints?
>
> Chris
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


chris.hellkvist at googlemail

May 2, 2012, 8:55 AM

Post #5 of 11 (1105 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Hi Luca,

2012/5/2 Luca Deri <deri [at] ntop>:
> Chris
> are you using the PF_RING code from SVN? The missing API call is part of libpfring and it's strange that's behaving like that.
> Luca

yepp, everything is out of a fresh checkout today, also the DAQ is the
one i found in the dist out of SVN.

-Chris
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


chris.hellkvist at googlemail

May 6, 2012, 9:19 AM

Post #6 of 11 (1083 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Hi List,
Hi Luca,

2012/5/2 Chris Hellkvist <chris.hellkvist [at] googlemail>:
> Hi Luca,
>
> 2012/5/2 Luca Deri <deri [at] ntop>:
>> Chris
>> are you using the PF_RING code from SVN? The missing API call is part of libpfring and it's strange that's behaving like that.
>> Luca
>
> yepp, everything is out of a fresh checkout today, also the DAQ is the
> one i found in the dist out of SVN.

any ideas why the API call fails when using the PF_RING DAQ? I was
able to reproduce the error on another fresh installed system, using
latest code from SVN. Without using the DAQ PFRING/TNAPI is not able
to capture packets from the tnapi interface :-(.

Thanks,
Chhris
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

May 6, 2012, 11:45 AM

Post #7 of 11 (1090 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Chris,
sorry I can't help you if you do not send us a precise log of the problem. Please file a bug on http://bugzilla.ntop.org so we can track your problem easier than with emails


Luca

On May 6, 2012, at 6:19 PM, Chris Hellkvist wrote:

> Hi List,
> Hi Luca,
>
> 2012/5/2 Chris Hellkvist <chris.hellkvist [at] googlemail>:
>> Hi Luca,
>>
>> 2012/5/2 Luca Deri <deri [at] ntop>:
>>> Chris
>>> are you using the PF_RING code from SVN? The missing API call is part of libpfring and it's strange that's behaving like that.
>>> Luca
>>
>> yepp, everything is out of a fresh checkout today, also the DAQ is the
>> one i found in the dist out of SVN.
>
> any ideas why the API call fails when using the PF_RING DAQ? I was
> able to reproduce the error on another fresh installed system, using
> latest code from SVN. Without using the DAQ PFRING/TNAPI is not able
> to capture packets from the tnapi interface :-(.
>
> Thanks,
> Chhris

---
We can't solve problems by using the same kind of thinking we used when we created them - Albert Einstein

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

May 6, 2012, 12:07 PM

Post #8 of 11 (1084 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Chris
latest svn rev revision contains a configure fix, can you try with it?

Regards
Alfredo

On May 6, 2012, at 6:19 PM, Chris Hellkvist wrote:

> Hi List,
> Hi Luca,
>
> 2012/5/2 Chris Hellkvist <chris.hellkvist [at] googlemail>:
>> Hi Luca,
>>
>> 2012/5/2 Luca Deri <deri [at] ntop>:
>>> Chris
>>> are you using the PF_RING code from SVN? The missing API call is part of libpfring and it's strange that's behaving like that.
>>> Luca
>>
>> yepp, everything is out of a fresh checkout today, also the DAQ is the
>> one i found in the dist out of SVN.
>
> any ideas why the API call fails when using the PF_RING DAQ? I was
> able to reproduce the error on another fresh installed system, using
> latest code from SVN. Without using the DAQ PFRING/TNAPI is not able
> to capture packets from the tnapi interface :-(.
>
> Thanks,
> Chhris
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


chris.hellkvist at googlemail

May 6, 2012, 12:52 PM

Post #9 of 11 (1089 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Hi Alfredo,

2012/5/6 Alfredo Cardigliano <cardigliano [at] ntop>:
> Chris
> latest svn rev revision contains a configure fix, can you try with it?

thanks for your help.
I tried it with the latest SVN rev, but after recompilation and
installation of the DAQ module a "snort --daq-dir /usr/local/lib/daq
--daq-list" still fails:

write(2, "/usr/local/lib/daq//daq_pfring.s"...,
130/usr/local/lib/daq//daq_pfring.so: dlopen:
/usr/local/lib/daq//daq_pfring.so: undefined symbol:
pfring_handle_hash_filtering_rule

I'll try it again on a fresh machine and submit a bug report with all
steps and informations. To get things right, what things included in
the PF_RING svn tree have to be installed (besides PF_RING/TNAPI) on
the machine for running Snort with PF_RING, TNAPI and the pfring-daq?

- libpfring (sure)
- libpcap from SVN (not sure?)
- the pfring daq (sure)

Anything i forgot?

Thanks,
Chris
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

May 6, 2012, 1:22 PM

Post #10 of 11 (1090 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Chris
please check again, there is another fix
However, you need:
- libpfring
- libpcap (vanilla or pfring-aware)
- daq

Alfredo

On May 6, 2012, at 9:52 PM, Chris Hellkvist wrote:

> Hi Alfredo,
>
> 2012/5/6 Alfredo Cardigliano <cardigliano [at] ntop>:
>> Chris
>> latest svn rev revision contains a configure fix, can you try with it?
>
> thanks for your help.
> I tried it with the latest SVN rev, but after recompilation and
> installation of the DAQ module a "snort --daq-dir /usr/local/lib/daq
> --daq-list" still fails:
>
> write(2, "/usr/local/lib/daq//daq_pfring.s"...,
> 130/usr/local/lib/daq//daq_pfring.so: dlopen:
> /usr/local/lib/daq//daq_pfring.so: undefined symbol:
> pfring_handle_hash_filtering_rule
>
> I'll try it again on a fresh machine and submit a bug report with all
> steps and informations. To get things right, what things included in
> the PF_RING svn tree have to be installed (besides PF_RING/TNAPI) on
> the machine for running Snort with PF_RING, TNAPI and the pfring-daq?
>
> - libpfring (sure)
> - libpcap from SVN (not sure?)
> - the pfring daq (sure)
>
> Anything i forgot?
>
> Thanks,
> Chris
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


chris.hellkvist at googlemail

May 6, 2012, 1:31 PM

Post #11 of 11 (1093 views)
Permalink
Re: Compiling Snort against PF_RING fails [In reply to]
Alfredo,


2012/5/6 Alfredo Cardigliano <cardigliano [at] ntop>:
> Chris
> please check again, there is another fix
> However, you need:
> - libpfring
> - libpcap (vanilla or pfring-aware)
> - daq

okay, i do not need to submit a bug request - it now works:
Run time for packet processing was 0.522638 seconds
Snort processed 2279 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
Pkts/sec: 2279
===============================================================================
Packet I/O Totals:
Received: 2279
Analyzed: 2279 (100.000%)
Dropped: 28268 ( 92.539%)

Available DAQ modules:
pfring(v1): live inline multi unpriv
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

Thanks for your support!

Chris
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.