Hi Robert please note that ZC is not compatible with kernel clustering, this means that: 1. you should not set --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow 2. if you want multiple capture threads, you should use RSS and capture from each RSS interface/queue (e.g. zc:p1p1@0 and zc:p1p1@1 if you have RSS=2) In your example, Suricata is trying to enable multiple sockets on the same interface/queue, thus the failure.
Alfredo > On 2 Jul 2018, at 19:54, Robert Cyphers <[email protected]> wrote: > > Hello NTOP users. > > I'm looking for hints on running Suricata over PF_RING ZC with multiple > receive threads. > > I have it running in single threaded mode, but it doesn't want to startup > with more than one thread. > > > One thread runs ok: > > ``` > shoshin@pit6:~$ sudo suricata --pfring-int=zc:p1p1 --pfring-cluster-id=99 > --pfring-cluster-type=cluster_flow -c > /usr/local/etc/suricata/rcc/suricata-pfring-zc-v1.yaml --init-errors-fatal > --runmode workers -v > 2/7/2018 -- 13:04:02 - <Notice> - This is Suricata version 4.0.4 RELEASE > 2/7/2018 -- 13:04:02 - <Info> - CPUs/cores online: 80 > 2/7/2018 -- 13:04:03 - <Info> - Running in live mode, activating unix socket > 2/7/2018 -- 13:04:06 - <Info> - 38 rule files processed. 12462 rules > successfully loaded, 0 rules failed > 2/7/2018 -- 13:04:06 - <Info> - Threshold config parsed: 0 rule(s) found > 2/7/2018 -- 13:04:06 - <Info> - 12467 signatures processed. 1168 are IP-only > rules, 5189 are inspecting packet payload, 7608 inspect application layer, 0 > are decoder event only > 2/7/2018 -- 13:04:12 - <Info> - fast output device (regular) initialized: > fast.log > 2/7/2018 -- 13:04:12 - <Info> - eve-log output device (regular) initialized: > eve.json > 2/7/2018 -- 13:04:12 - <Info> - stats output device (regular) initialized: > stats.log > 2/7/2018 -- 13:04:12 - <Info> - Using flow cluster mode for PF_RING (iface > zc:p1p1) > 2/7/2018 -- 13:04:12 - <Info> - Going to use 1 thread(s) > ######################################################################### > # ERROR: You do not seem to have a valid PF_RING ZC license 7.3.0.180618 for > p1p1 [Intel 10/40 Gbit i40e family] > # ERROR: Please get one at http://shop.ntop.org/. > ######################################################################### > # We're now working in demo mode with packet capture and > # transmission limited to 5 minutes > ######################################################################### > 2/7/2018 -- 13:04:13 - <Info> - ZC interface detected, not adding thread to > cluster > 2/7/2018 -- 13:04:13 - <Info> - RunModeIdsPfringWorkers initialised > 2/7/2018 -- 13:04:13 - <Info> - Running in live mode, activating unix socket > 2/7/2018 -- 13:04:13 - <Info> - Using unix socket file > '/usr/local/var/run/suricata/suricata-command.socket' > 2/7/2018 -- 13:04:13 - <Notice> - all 1 packet processing threads, 4 > management threads initialized, engine started. > 2/7/2018 -- 13:04:34 - <Warning> - [ERRCODE: SC_ERR_PF_RING_VLAN(302)] - no > VLAN header in the raw packet. See #2355. > ^C2/7/2018 -- 13:06:17 - <Notice> - Signal Received. Stopping engine. > 2/7/2018 -- 13:07:49 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable > to disable detect thread - "FM#01". Killing engine > ``` > > --- > > Two threads fails to start: > > ``` > shoshin@pit6:~$ sudo suricata --pfring-int=zc:p1p1 --pfring-cluster-id=99 > --pfring-cluster-type=cluster_flow -c > /usr/local/etc/suricata/rcc/suricata-pfring-zc-v1.yaml --init-errors-fatal > --runmode workers -v > 2/7/2018 -- 13:01:01 - <Notice> - This is Suricata version 4.0.4 RELEASE > 2/7/2018 -- 13:01:01 - <Info> - CPUs/cores online: 80 > 2/7/2018 -- 13:01:02 - <Info> - Running in live mode, activating unix socket > 2/7/2018 -- 13:01:04 - <Info> - 38 rule files processed. 12462 rules > successfully loaded, 0 rules failed > 2/7/2018 -- 13:01:04 - <Info> - Threshold config parsed: 0 rule(s) found > 2/7/2018 -- 13:01:05 - <Info> - 12467 signatures processed. 1168 are IP-only > rules, 5189 are inspecting packet payload, 7608 inspect application layer, 0 > are decoder event only > 2/7/2018 -- 13:01:11 - <Info> - fast output device (regular) initialized: > fast.log > 2/7/2018 -- 13:01:11 - <Info> - eve-log output device (regular) initialized: > eve.json > 2/7/2018 -- 13:01:11 - <Info> - stats output device (regular) initialized: > stats.log > 2/7/2018 -- 13:01:11 - <Info> - Using flow cluster mode for PF_RING (iface > zc:p1p1) > 2/7/2018 -- 13:01:11 - <Info> - Going to use 2 thread(s) > ######################################################################### > # ERROR: You do not seem to have a valid PF_RING ZC license 7.3.0.180618 for > p1p1 [Intel 10/40 Gbit i40e family] > # ERROR: Please get one at http://shop.ntop.org/. > ######################################################################### > # We're now working in demo mode with packet capture and > # transmission limited to 5 minutes > ######################################################################### > 2/7/2018 -- 13:01:12 - <Info> - ZC interface detected, not adding thread to > cluster > ######################################################################### > # ERROR: You do not seem to have a valid PF_RING ZC license 7.3.0.180618 for > p1p1 [Intel 10/40 Gbit i40e family] > # ERROR: Please get one at http://shop.ntop.org/. > ######################################################################### > 2/7/2018 -- 13:01:14 - <Info> - ZC interface detected, not adding thread to > cluster > 2/7/2018 -- 13:01:14 - <Info> - RunModeIdsPfringWorkers initialised > 2/7/2018 -- 13:01:14 - <Info> - Running in live mode, activating unix socket > 2/7/2018 -- 13:01:14 - <Info> - Using unix socket file > '/usr/local/var/run/suricata/suricata-command.socket' > 2/7/2018 -- 13:01:14 - <Notice> - all 2 packet processing threads, 4 > management threads initialized, engine started. > 2/7/2018 -- 13:01:14 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - > pfring_enable_ring failed returned -1 > 2/7/2018 -- 13:01:14 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread > W#02-zc:p1p1 failed > ``` > > > I followed the instructions for configuring PF_RING for Suricata listed > "Accelerating Suricata with PF_RING DNA" > https://www.ntop.org/pf_ring/accelerating-suricata-with-pf_ring-dna/ > > --- > > My PF_RING configuration in suricata-pfring-zc-v1.yaml is this: > > ``` > # PF_RING configuration. for use with native PF_RING support > # for more info see http://www.ntop.org/products/pf_ring/ > pfring: > # - interface: eth0 > - interface: p1p1 > # Number of receive threads (>1 will enable experimental flow pinned > # runmode) > # threads: 1 > threads: 40 > - interface: zc:p1p1 > threads: 1 > > # Default clusterid. PF_RING will load balance packets based on flow. > # All threads/processes that will participate need to have the same > # clusterid. > cluster-id: 99 > > # Default PF_RING cluster type. PF_RING can load balance per flow. > # Possible values are cluster_flow or cluster_round_robin. > cluster-type: cluster_flow > # bpf filter for this interface > #bpf-filter: tcp > # Choose checksum verification mode for the interface. At the moment > # of the capture, some packets may be with an invalid checksum due to > # offloading to the network card of the checksum computation. > # Possible values are: > # - rxonly: only compute checksum for packets received by network card. > # - yes: checksum validation is forced > # - no: checksum validation is disabled > # - auto: suricata uses a statistical approach to detect when > # checksum off-loading is used. (default) > # Warning: 'checksum-validation' must be set to yes to have any validation > #checksum-checks: auto > # Second interface > #- interface: eth1 > # threads: 3 > # cluster-id: 93 > # cluster-type: cluster_flow > # Put default values here > - interface: default > #threads: 2 > ``` > > Any hints would be appreciated. > Thx > > > -- > Robert Cyphers > [email protected] > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
