Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
problem starting PF_RING ZC with multiple receive threads
shoshin at fastmail
Jul 2, 2018, 10:54 AM
Post #1 of 2 (1046 views)
Permalink
Hello NTOP users.

I'm looking for hints on running Suricata over PF_RING ZC with multiple receive threads.

I have it running in single threaded mode, but it doesn't want to startup with more than one thread.


One thread runs ok:

```
shoshin@pit6:~$ sudo suricata --pfring-int=zc:p1p1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /usr/local/etc/suricata/rcc/suricata-pfring-zc-v1.yaml --init-errors-fatal --runmode workers -v
2/7/2018 -- 13:04:02 - <Notice> - This is Suricata version 4.0.4 RELEASE
2/7/2018 -- 13:04:02 - <Info> - CPUs/cores online: 80
2/7/2018 -- 13:04:03 - <Info> - Running in live mode, activating unix socket
2/7/2018 -- 13:04:06 - <Info> - 38 rule files processed. 12462 rules successfully loaded, 0 rules failed
2/7/2018 -- 13:04:06 - <Info> - Threshold config parsed: 0 rule(s) found
2/7/2018 -- 13:04:06 - <Info> - 12467 signatures processed. 1168 are IP-only rules, 5189 are inspecting packet payload, 7608 inspect application layer, 0 are decoder event only
2/7/2018 -- 13:04:12 - <Info> - fast output device (regular) initialized: fast.log
2/7/2018 -- 13:04:12 - <Info> - eve-log output device (regular) initialized: eve.json
2/7/2018 -- 13:04:12 - <Info> - stats output device (regular) initialized: stats.log
2/7/2018 -- 13:04:12 - <Info> - Using flow cluster mode for PF_RING (iface zc:p1p1)
2/7/2018 -- 13:04:12 - <Info> - Going to use 1 thread(s)
#########################################################################
# ERROR: You do not seem to have a valid PF_RING ZC license 7.3.0.180618 for p1p1 [Intel 10/40 Gbit i40e family]
# ERROR: Please get one at http://shop.ntop.org/.
#########################################################################
# We're now working in demo mode with packet capture and
# transmission limited to 5 minutes
#########################################################################
2/7/2018 -- 13:04:13 - <Info> - ZC interface detected, not adding thread to cluster
2/7/2018 -- 13:04:13 - <Info> - RunModeIdsPfringWorkers initialised
2/7/2018 -- 13:04:13 - <Info> - Running in live mode, activating unix socket
2/7/2018 -- 13:04:13 - <Info> - Using unix socket file '/usr/local/var/run/suricata/suricata-command.socket'
2/7/2018 -- 13:04:13 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
2/7/2018 -- 13:04:34 - <Warning> - [ERRCODE: SC_ERR_PF_RING_VLAN(302)] - no VLAN header in the raw packet. See #2355.
^C2/7/2018 -- 13:06:17 - <Notice> - Signal Received. Stopping engine.
2/7/2018 -- 13:07:49 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "FM#01". Killing engine
```

---

Two threads fails to start:

```
shoshin@pit6:~$ sudo suricata --pfring-int=zc:p1p1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /usr/local/etc/suricata/rcc/suricata-pfring-zc-v1.yaml --init-errors-fatal --runmode workers -v
2/7/2018 -- 13:01:01 - <Notice> - This is Suricata version 4.0.4 RELEASE
2/7/2018 -- 13:01:01 - <Info> - CPUs/cores online: 80
2/7/2018 -- 13:01:02 - <Info> - Running in live mode, activating unix socket
2/7/2018 -- 13:01:04 - <Info> - 38 rule files processed. 12462 rules successfully loaded, 0 rules failed
2/7/2018 -- 13:01:04 - <Info> - Threshold config parsed: 0 rule(s) found
2/7/2018 -- 13:01:05 - <Info> - 12467 signatures processed. 1168 are IP-only rules, 5189 are inspecting packet payload, 7608 inspect application layer, 0 are decoder event only
2/7/2018 -- 13:01:11 - <Info> - fast output device (regular) initialized: fast.log
2/7/2018 -- 13:01:11 - <Info> - eve-log output device (regular) initialized: eve.json
2/7/2018 -- 13:01:11 - <Info> - stats output device (regular) initialized: stats.log
2/7/2018 -- 13:01:11 - <Info> - Using flow cluster mode for PF_RING (iface zc:p1p1)
2/7/2018 -- 13:01:11 - <Info> - Going to use 2 thread(s)
#########################################################################
# ERROR: You do not seem to have a valid PF_RING ZC license 7.3.0.180618 for p1p1 [Intel 10/40 Gbit i40e family]
# ERROR: Please get one at http://shop.ntop.org/.
#########################################################################
# We're now working in demo mode with packet capture and
# transmission limited to 5 minutes
#########################################################################
2/7/2018 -- 13:01:12 - <Info> - ZC interface detected, not adding thread to cluster
#########################################################################
# ERROR: You do not seem to have a valid PF_RING ZC license 7.3.0.180618 for p1p1 [Intel 10/40 Gbit i40e family]
# ERROR: Please get one at http://shop.ntop.org/.
#########################################################################
2/7/2018 -- 13:01:14 - <Info> - ZC interface detected, not adding thread to cluster
2/7/2018 -- 13:01:14 - <Info> - RunModeIdsPfringWorkers initialised
2/7/2018 -- 13:01:14 - <Info> - Running in live mode, activating unix socket
2/7/2018 -- 13:01:14 - <Info> - Using unix socket file '/usr/local/var/run/suricata/suricata-command.socket'
2/7/2018 -- 13:01:14 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
2/7/2018 -- 13:01:14 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - pfring_enable_ring failed returned -1
2/7/2018 -- 13:01:14 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#02-zc:p1p1 failed
```


I followed the instructions for configuring PF_RING for Suricata listed "Accelerating Suricata with PF_RING DNA"
https://www.ntop.org/pf_ring/accelerating-suricata-with-pf_ring-dna/

---

My PF_RING configuration in suricata-pfring-zc-v1.yaml is this:

```
# PF_RING configuration. for use with native PF_RING support
# for more info see http://www.ntop.org/products/pf_ring/
pfring:
# - interface: eth0
- interface: p1p1
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
# threads: 1
threads: 40
- interface: zc:p1p1
threads: 1

# Default clusterid. PF_RING will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99

# Default PF_RING cluster type. PF_RING can load balance per flow.
# Possible values are cluster_flow or cluster_round_robin.
cluster-type: cluster_flow
# bpf filter for this interface
#bpf-filter: tcp
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - rxonly: only compute checksum for packets received by network card.
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# Second interface
#- interface: eth1
# threads: 3
# cluster-id: 93
# cluster-type: cluster_flow
# Put default values here
- interface: default
#threads: 2
```

Any hints would be appreciated.
Thx


--
Robert Cyphers
shoshin@fastmail.com
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: problem starting PF_RING ZC with multiple receive threads [ In reply to ]
cardigliano at ntop
Jul 2, 2018, 12:36 PM
Post #2 of 2 (1046 views)
Permalink
Hi Robert
please note that ZC is not compatible with kernel clustering, this means that:
1. you should not set --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow
2. if you want multiple capture threads, you should use RSS and capture from
each RSS interface/queue (e.g. zc:p1p1@0 and zc:p1p1@1 if you have RSS=2)
In your example, Suricata is trying to enable multiple sockets on the same
interface/queue, thus the failure.

Alfredo

> On 2 Jul 2018, at 19:54, Robert Cyphers <shoshin@fastmail.com> wrote:
>
> Hello NTOP users.
>
> I'm looking for hints on running Suricata over PF_RING ZC with multiple receive threads.
>
> I have it running in single threaded mode, but it doesn't want to startup with more than one thread.
>
>
> One thread runs ok:
>
> ```
> shoshin@pit6:~$ sudo suricata --pfring-int=zc:p1p1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /usr/local/etc/suricata/rcc/suricata-pfring-zc-v1.yaml --init-errors-fatal --runmode workers -v
> 2/7/2018 -- 13:04:02 - <Notice> - This is Suricata version 4.0.4 RELEASE
> 2/7/2018 -- 13:04:02 - <Info> - CPUs/cores online: 80
> 2/7/2018 -- 13:04:03 - <Info> - Running in live mode, activating unix socket
> 2/7/2018 -- 13:04:06 - <Info> - 38 rule files processed. 12462 rules successfully loaded, 0 rules failed
> 2/7/2018 -- 13:04:06 - <Info> - Threshold config parsed: 0 rule(s) found
> 2/7/2018 -- 13:04:06 - <Info> - 12467 signatures processed. 1168 are IP-only rules, 5189 are inspecting packet payload, 7608 inspect application layer, 0 are decoder event only
> 2/7/2018 -- 13:04:12 - <Info> - fast output device (regular) initialized: fast.log
> 2/7/2018 -- 13:04:12 - <Info> - eve-log output device (regular) initialized: eve.json
> 2/7/2018 -- 13:04:12 - <Info> - stats output device (regular) initialized: stats.log
> 2/7/2018 -- 13:04:12 - <Info> - Using flow cluster mode for PF_RING (iface zc:p1p1)
> 2/7/2018 -- 13:04:12 - <Info> - Going to use 1 thread(s)
> #########################################################################
> # ERROR: You do not seem to have a valid PF_RING ZC license 7.3.0.180618 for p1p1 [Intel 10/40 Gbit i40e family]
> # ERROR: Please get one at http://shop.ntop.org/.
> #########################################################################
> # We're now working in demo mode with packet capture and
> # transmission limited to 5 minutes
> #########################################################################
> 2/7/2018 -- 13:04:13 - <Info> - ZC interface detected, not adding thread to cluster
> 2/7/2018 -- 13:04:13 - <Info> - RunModeIdsPfringWorkers initialised
> 2/7/2018 -- 13:04:13 - <Info> - Running in live mode, activating unix socket
> 2/7/2018 -- 13:04:13 - <Info> - Using unix socket file '/usr/local/var/run/suricata/suricata-command.socket'
> 2/7/2018 -- 13:04:13 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
> 2/7/2018 -- 13:04:34 - <Warning> - [ERRCODE: SC_ERR_PF_RING_VLAN(302)] - no VLAN header in the raw packet. See #2355.
> ^C2/7/2018 -- 13:06:17 - <Notice> - Signal Received. Stopping engine.
> 2/7/2018 -- 13:07:49 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "FM#01". Killing engine
> ```
>
> ---
>
> Two threads fails to start:
>
> ```
> shoshin@pit6:~$ sudo suricata --pfring-int=zc:p1p1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /usr/local/etc/suricata/rcc/suricata-pfring-zc-v1.yaml --init-errors-fatal --runmode workers -v
> 2/7/2018 -- 13:01:01 - <Notice> - This is Suricata version 4.0.4 RELEASE
> 2/7/2018 -- 13:01:01 - <Info> - CPUs/cores online: 80
> 2/7/2018 -- 13:01:02 - <Info> - Running in live mode, activating unix socket
> 2/7/2018 -- 13:01:04 - <Info> - 38 rule files processed. 12462 rules successfully loaded, 0 rules failed
> 2/7/2018 -- 13:01:04 - <Info> - Threshold config parsed: 0 rule(s) found
> 2/7/2018 -- 13:01:05 - <Info> - 12467 signatures processed. 1168 are IP-only rules, 5189 are inspecting packet payload, 7608 inspect application layer, 0 are decoder event only
> 2/7/2018 -- 13:01:11 - <Info> - fast output device (regular) initialized: fast.log
> 2/7/2018 -- 13:01:11 - <Info> - eve-log output device (regular) initialized: eve.json
> 2/7/2018 -- 13:01:11 - <Info> - stats output device (regular) initialized: stats.log
> 2/7/2018 -- 13:01:11 - <Info> - Using flow cluster mode for PF_RING (iface zc:p1p1)
> 2/7/2018 -- 13:01:11 - <Info> - Going to use 2 thread(s)
> #########################################################################
> # ERROR: You do not seem to have a valid PF_RING ZC license 7.3.0.180618 for p1p1 [Intel 10/40 Gbit i40e family]
> # ERROR: Please get one at http://shop.ntop.org/.
> #########################################################################
> # We're now working in demo mode with packet capture and
> # transmission limited to 5 minutes
> #########################################################################
> 2/7/2018 -- 13:01:12 - <Info> - ZC interface detected, not adding thread to cluster
> #########################################################################
> # ERROR: You do not seem to have a valid PF_RING ZC license 7.3.0.180618 for p1p1 [Intel 10/40 Gbit i40e family]
> # ERROR: Please get one at http://shop.ntop.org/.
> #########################################################################
> 2/7/2018 -- 13:01:14 - <Info> - ZC interface detected, not adding thread to cluster
> 2/7/2018 -- 13:01:14 - <Info> - RunModeIdsPfringWorkers initialised
> 2/7/2018 -- 13:01:14 - <Info> - Running in live mode, activating unix socket
> 2/7/2018 -- 13:01:14 - <Info> - Using unix socket file '/usr/local/var/run/suricata/suricata-command.socket'
> 2/7/2018 -- 13:01:14 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
> 2/7/2018 -- 13:01:14 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - pfring_enable_ring failed returned -1
> 2/7/2018 -- 13:01:14 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#02-zc:p1p1 failed
> ```
>
>
> I followed the instructions for configuring PF_RING for Suricata listed "Accelerating Suricata with PF_RING DNA"
> https://www.ntop.org/pf_ring/accelerating-suricata-with-pf_ring-dna/
>
> ---
>
> My PF_RING configuration in suricata-pfring-zc-v1.yaml is this:
>
> ```
> # PF_RING configuration. for use with native PF_RING support
> # for more info see http://www.ntop.org/products/pf_ring/
> pfring:
> # - interface: eth0
> - interface: p1p1
> # Number of receive threads (>1 will enable experimental flow pinned
> # runmode)
> # threads: 1
> threads: 40
> - interface: zc:p1p1
> threads: 1
>
> # Default clusterid. PF_RING will load balance packets based on flow.
> # All threads/processes that will participate need to have the same
> # clusterid.
> cluster-id: 99
>
> # Default PF_RING cluster type. PF_RING can load balance per flow.
> # Possible values are cluster_flow or cluster_round_robin.
> cluster-type: cluster_flow
> # bpf filter for this interface
> #bpf-filter: tcp
> # Choose checksum verification mode for the interface. At the moment
> # of the capture, some packets may be with an invalid checksum due to
> # offloading to the network card of the checksum computation.
> # Possible values are:
> # - rxonly: only compute checksum for packets received by network card.
> # - yes: checksum validation is forced
> # - no: checksum validation is disabled
> # - auto: suricata uses a statistical approach to detect when
> # checksum off-loading is used. (default)
> # Warning: 'checksum-validation' must be set to yes to have any validation
> #checksum-checks: auto
> # Second interface
> #- interface: eth1
> # threads: 3
> # cluster-id: 93
> # cluster-type: cluster_flow
> # Put default values here
> - interface: default
> #threads: 2
> ```
>
> Any hints would be appreciated.
> Thx
>
>
> --
> Robert Cyphers
> shoshin@fastmail.com
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal