Pfring_zc cluster zuricata interface issue

Jan_Hugo_Prins · October 27, 2020, 12:55am

Hello,

On my IDS servers I have a PFRing_ZC configuration where I have 4 sniff interfaces (only incoming traffic), and 2 zbalance_ipc clusters creating multiple packet queue’s for sniffing.
On 4 of the queue’s I have zeek running, listening on zc:0@0, zc:0@1, zc:1@0 and zc:1@1.
On the other 4 queues I want to start Suricata. The interface names of these queues are: zc:0@2, zc:0@3, zc:1@2 and zc:1@3.
Cluster 0 is bound to Numa node 0 and Cluster 1 is bound to Numa node 1.

I have compiled Zuricata with pf_ring support, and ldd tells me this is the case:

[root@idsprobe03 suricata]# ldd /sbin/suricata |grep pfring
libpfring.so.7 => /usr/local/lib/libpfring.so.7 (0x00007fa912dcb000)

I have tried all sorts of pfring config settings, but everything fails:

pfring:
- interface: zc:0@2
# threads: auto
# cluster-id: 0
# cluster-type: cluster_flow
- interface: zc:0@3
# threads: auto
# cluster-id: 0
# cluster-type: cluster_flow

27/10/2020 – 01:51:24 - - ZC interface detected, not setting cluster-id for PF_RING (iface zc:0@2)
27/10/2020 – 01:51:24 - - ZC interface detected, not setting cluster type for PF_RING (iface zc:0@2)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@2’: No such device (19)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@2’: No such device (19)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@2’: No such device (19)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@2’: No such device (19)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@2’: No such device (19)
27/10/2020 – 01:51:24 - - Going to use 1 thread(s)
27/10/2020 – 01:51:24 - - Setting prio 0 for thread “W#01-zc:0@2” to cpu/core 10, thread id 26924
27/10/2020 – 01:51:24 - - Enabling zero-copy for zc:0@2
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - Failed to open zc:0@2: pfring_open error. Check if zc:0@2 exists and pf_ring module is loaded.
27/10/2020 – 01:51:24 - - ZC interface detected, not setting cluster-id for PF_RING (iface zc:0@3)
27/10/2020 – 01:51:24 - - ZC interface detected, not setting cluster type for PF_RING (iface zc:0@3)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@3’: No such device (19)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@3’: No such device (19)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@3’: No such device (19)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@3’: No such device (19)
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for ‘zc:0@3’: No such device (19)
27/10/2020 – 01:51:24 - - Going to use 1 thread(s)
27/10/2020 – 01:51:24 - - Setting prio 0 for thread “W#01-zc:0@3” to cpu/core 11, thread id 26935
27/10/2020 – 01:51:24 - - Enabling zero-copy for zc:0@3
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - Failed to open zc:0@3: pfring_open error. Check if zc:0@3 exists and pf_ring module is loaded.
27/10/2020 – 01:51:24 - - RunModeIdsPfringWorkers initialised
27/10/2020 – 01:51:24 - - Setting prio 0 for thread “FM#01”, thread id 26936
27/10/2020 – 01:51:24 - - Setting prio 0 for thread “FR#01”, thread id 26937
27/10/2020 – 01:51:24 - - Setting prio 0 for thread “CW”, thread id 26938
27/10/2020 – 01:51:24 - - Setting prio 0 for thread “CS”, thread id 26939
27/10/2020 – 01:51:24 - - Running in live mode, activating unix socket
27/10/2020 – 01:51:24 - - Using unix socket file ‘/var/run/suricata/suricata-command.socket’
27/10/2020 – 01:51:24 - - Setting prio 0 for thread “US”, thread id 26940
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread “W#01-zc:0@2” failed to initialize: flags 0145
27/10/2020 – 01:51:24 - - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting…

What am I doing wrong?

Greetings,
Jan Hugo Prins

Michael971022 · October 27, 2020, 5:57am

In my experience, suricata shows the error [ERRCODE: SC_ERR_SYSCALL(50)] is normal ,It still works! You can refer to the following link
Question
Answer

So you can focus on other error , such as [ERRCODE: SC_ERR_FATAL(171)]

[ERRCODE: SC_ERR_PF_RING_OPEN(34)] - Failed to open zc:0@3: pfring_open error. Check if zc:0@3 exists and pf_ring module is loaded
I think this error may be dirver issue. For example i40e NIC use ixgbe

Jan_Hugo_Prins · October 27, 2020, 9:08am

I get this error when I’m not running suricata as root. So it might actually be a authorization issue. Have not yet found out what authorization is failing. If someone knows what this error 34 means, please let me know.

Best regards,
Jan Hugo Prins

Jan_Hugo_Prins · October 27, 2020, 9:45am

[pid 25919] <… close resumed> ) = 0
[pid 25878] <… nanosleep resumed> NULL) = 0
[pid 25878] nanosleep({0, 100000}, <unfinished …>
[pid 25919] write(2, "27/10/2020 – 10:42:13 - "…, 16727/10/2020 – 10:42:13 - - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - Failed to open zc:0@3:
pfring_open error. Check if zc:0@3 exists and pf_ring module is loaded.
) = 167
[pid 25919] write(3, "27/10/2020 – 10:42:13 - "…, 167) = 167
[pid 25919] madvise(0x7f94ea1a5000, 8368128, MADV_DONTNEED <unfinished …>
[pid 25878] <… nanosleep resumed> NULL) = 0
[pid 25919] <… madvise resumed> ) = 0
[pid 25919] exit(0) = ?
[pid 25878] write(1, "27/10/2020 – 10:42:13 - "…, 7027/10/2020 – 10:42:13 - - RunModeIdsPfringWorkers initialised
<unfinished …>
[pid 25919] +++ exited with 0 +++
<… write resumed> ) = 70
write(3, "27/10/2020 – 10:42:13 - "…, 70) = 70
write(1, “27/10/2020 – 10:42:13 - <Config”…, 6527/10/2020 – 10:42:13 - - using 1 flow manager threads
) = 65
write(3, “27/10/2020 – 10:42:13 - <Config”…, 65) = 65
mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f94e99a4000
mprotect(0x7f94e99a4000, 4096, PROT_NONE) = 0
clone(strace: Process 25920 attached
child_stack=0x7f94ea1a3bf0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID
, parent_tidptr=0x7f94ea1a49d0, tls=0x7f94ea1a4700, child_tidptr=0x7f94ea1a49d0) = 25920
[pid 25920] set_robust_list(0x7f94ea1a49e0, 24 <unfinished …>
[pid 25878] nanosleep({0, 100000}, <unfinished …>
[pid 25920] <… set_robust_list resumed> ) = 0

suricatalfon · October 28, 2020, 8:30am

Hi,

I to work with pf_ring:

PF_RING/drivers/intel/ixgbe/ixgbe-5.5.3-zc/src $ sudo ./load_driver.sh

And in suricata.yaml:

default-packet-size: 1514

in pf_ring:
threads: 1

Jan_Hugo_Prins · November 1, 2020, 2:42pm

Hi.

Thanks, got it working. The problem was with the amount of memory any user could lock. There was a max on 64KByte, which is a little bit too little if you want Suricata to access much more memory out of the pf_ring zbalance_ipc cluster.

Got it fixed using the following settings:
In /etc/security/limits.conf:
root soft memlock unlimited
root hard memlock unlimited
zeek soft memlock unlimited
zeek hard memlock unlimited
suricata soft memlock unlimited
suricata hard memlock unlimited

In the systemd suricata settings:
LimitMEMLOCK=infinity

Jan Hugo Prins

Topic		Replies	Views
Suricata breaks after a little time running fine Help	16	1446	April 25, 2021
Advise regarding new IDS with 100G spanports Help suricata	1	380	February 9, 2023
Suricata PF_RING in IPS mode Help	5	905	June 7, 2024
Suricata high capture.kernel_drops count. I use the PF_RING zc mode Help pfring , suricata	30	1551	September 21, 2022
Feature request, requires Suricata support for innet 5 tuple mode Help suricata	2	391	April 25, 2023

Pfring_zc cluster zuricata interface issue

Related topics