My last issue I hope

So everything is humming along with no errors, but also no events.

In looking at pf_ring, specifically /proc/net/pf_ring, I am seeing that it does not appear to be capturing packets…

Slot Len : 8224 [bucket+header]

Tot Memory : 67108864

Tot Packets : 0

Tot Pkt Lost : 0

Tot Insert : 0

Tot Read : 0

Insert Offset : 0

Remove Offset : 0

TX: Send Ok : 0

TX: Send Errors : 0

Reflect: Fwd Ok : 0

Reflect: Fwd Errors: 0

Num Free Slots : 8159

I have the nics in promisc mode, and have done the sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro

Have any of you run into this? I am scouring the web right now, but if anyone knows this one off the top of their head I would be most appreciative for any pointers.

James Richards

Office of Security

Wisconsin Department of Administration

608.224.3880

Did you load the pf_ring module in mode 0 or something higher?

  .Seth

The simplest cause could be that you have an issue with the tap/span
port that is supposed to be feeding you traffic. Is your sensor
definitely receiving traffic? Are the ethernet links up?

Where might I find that info? I am looking.

And thanks!

James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880

If you don't know then you probably are using mode 0 which is the default. I think the next step is definitely to follow Justin's advice.

  .Seth

It certainly appears to be working and up in promic mode...

eth4 Link encap:Ethernet HWaddr 00:1b:21:33:55:20
          inet6 addr: fe80::21b:21ff:fe33:5520/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
          RX packets:474826801 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:330011101828 (330.0 GB) TX bytes:468 (468.0 B)

Thanks all, I will continue to dig...

James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880

You have something like this in your node.cfg ?

    interface=eth4
    lb_method=pf_ring
    lb_procs=4

Interesting... I swear that these were at 0, but in looking at one node I am seeing what appear to be packets captured... The one here is on the manager which is also running suricata I am seeing packets captured: But further below I am not seeing packets on the node, and the APPL Name is unknown...

On The MANAGER
richaj@utlmad0d0363:/proc/net/pf_ring$ more 32094-eth4.137
Bound Device(s) : eth4
Active : 1
Breed : Non-DNA
Sampling Rate : 1
Capture Direction : RX+TX
Socket Mode : RX+TX
Appl. Name : Suricata
IP Defragment : No
BPF Filtering : Disabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0
Poll Pkt Watermark : 128
Num Poll Calls : 1534927
Channel Id Mask : 0xFFFFFFFF
Cluster Id : 99
Slot Version : 14 [5.4.6]
Min Num Slots : 4889
Bucket Len : 1514
Slot Len : 1714 [bucket+header]
Tot Memory : 8388608
Tot Packets : 107648318
Tot Pkt Lost : 672416
Tot Insert : 106975907
Tot Read : 106975798
Insert Offset : 7698710
Remove Offset : 7603240
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Num Free Slots : 4780

On the NODE:
richaj@utlmad0d0367:/proc/net/pf_ring$ more 8903-eth4.5
Bound Device(s) : eth4
Active : 1
Breed : Non-DNA
Sampling Rate : 1
Capture Direction : RX+TX
Socket Mode : RX+TX
Appl. Name : <unknown>
IP Defragment : No
BPF Filtering : Enabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0
Poll Pkt Watermark : 1
Num Poll Calls : 665709393
Channel Id Mask : 0xFFFFFFFF
Cluster Id : 22
Slot Version : 14 [5.4.6]
Min Num Slots : 8159
Bucket Len : 8192
Slot Len : 8224 [bucket+header]
Tot Memory : 67108864
Tot Packets : 0
Tot Pkt Lost : 0
Tot Insert : 0
Tot Read : 0
Insert Offset : 0
Remove Offset : 0
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Num Free Slots : 8159
richaj@utlmad0d0367:/proc/net/pf_ring$

James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880

I may have something here… in perusing the logs on a node in /usr/local/bro/logs, I am seeing…

/usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory

When I do an ldconfig –v on the same node, I get

/usr/local/pfring/lib:

libpfring.so → libpfring.so

libpcap.so.1 → libpcap.so.1.1.1

So bro is looking for libpcap.so.0.8 which is not present, correct?

James Richards

Office of Security

Wisconsin Department of Administration

608.224.3880

You need to make sure that all of your workers have the pf_ring libpcap installed in the same place as you did on the manager (or wherever you built Bro).

  .Seth