[Oisf-users] Suricata and XDP
ltishend
ltishend at uw.edu
Mon Jun 10 15:08:20 UTC 2019
I don't get any message on stdout when I start suricata via the command line. Maybe that's part of the problem? No additional information dumps out to syslog either.
> -----Original Message-----
> From: Eric Leblond <eric at regit.org>
> Sent: Monday, June 10, 2019 7:59 AM
> To: ltishend <ltishend at uw.edu>; Peter Manev <petermanev at gmail.com>
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata and XDP
>
> Hello,
>
> We should have some message from libbpf on stdout. Can we have a look at it ?
>
> On Mon, 2019-06-10 at 14:26 +0000, ltishend wrote:
> > > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > > /var/run/suricata.pid -- af-packet -vvv and share the full output?
> >
> > [25180] 10/6/2019 -- 07:22:34 - (suricata.c:1067) <Notice>
> > (LogVersion) -- This is Suricata version 5.0.0-dev (rev c1b30fe9f)
> > running in SYSTEM mode
> > [25180] 10/6/2019 -- 07:22:34 - (util-cpu.c:171) <Info>
> > (UtilCpuPrintSummary) -- CPUs/cores online:
> > 40
> >
> > [25180] 10/6/2019 -- 07:22:34 - (tmqh-flow.c:63) <Notice>
> > (TmqhFlowRegister) -- using flow hash instead of active
> > packets
> >
> > [25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476) <Info>
> > (SCConfLogOpenGeneric) -- eve-log output device (regular)
> > initialized: eve.json
> > [25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476) <Info>
> > (SCConfLogOpenGeneric) -- stats output device (regular) initialized:
> > stats.log
> > [25180] 10/6/2019 -- 07:22:34 - (util-conf.c:115) <Info>
> > (ConfUnixSocketIsEnable) -- Running in live mode, activating unix
> > socket
> > [25180] 10/6/2019 -- 07:22:44 - (detect-engine-loader.c:351) <Info>
> > (SigLoadSignatures) -- 2 rule files processed. 36833 rules
> > successfully loaded, 0 rules failed
> > [25180] 10/6/2019 -- 07:22:44 - (util-threshold-config.c:1126) <Info>
> > (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s)
> > found
> > [25180] 10/6/2019 -- 07:22:45 - (detect-engine-build.c:1426) <Info>
> > (SigAddressPrepareStage1) -- 36833 signatures processed. 261 are IP-
> > only rules, 13916 are inspecting packet payload, 22463 inspect
> > application layer, 103 are decoder event only [25180] 10/6/2019 --
> > 07:23:12 - (runmode-af-packet.c:441) <Info>
> > (ParseAFPConfig) -- af-packet will use '/etc/suricata/xdp_filter.bpf'
> > as XDP filter file
> > [25180] 10/6/2019 -- 07:23:12 - (util-ebpf.c:308) <Error>
> > (EBPFSetupXDP) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to set
> > XDP on 'enp175s0f1': Invalid argument (-22) [25180] 10/6/2019 --
> > 07:23:12 - (runmode-af-packet.c:486) <Warning>
> > (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when
> > setting up XDP [25180] 10/6/2019 -- 07:23:12 - (util-runmodes.c:297)
> > <Info>
> > (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 13 thread(s)
> > [25180] 10/6/2019 -- 07:23:13 - (util-conf.c:115) <Info>
> > (ConfUnixSocketIsEnable) -- Running in live mode, activating unix
> > socket [25180] 10/6/2019 -- 07:23:13 - (unix-manager.c:131) <Info>
> > (UnixNew)
> > -- Using unix socket file '/var/run/suricata/suricata-command.socket'
> > [25180] 10/6/2019 -- 07:23:13 - (tm-threads.c:2157) <Notice>
> > (TmThreadWaitOnThreadInit) -- all 13 packet processing threads, 5
> > management threads initialized, engine started.
> > [25204] 10/6/2019 -- 07:23:19 - (source-af-packet.c:509) <Info>
> > (AFPPeersListReachedInc) -- All AFP capture threads are running.
> >
> > > ethtool -x your-interface-here
> >
> > X flow hash indirection table for enp175s0f1 with 13 RX ring(s):
> > 0: 0 1 2 3 4 5 6 7
> > 8: 8 9 10 11 12 0 1 2
> > 16: 3 4 5 6 7 8 9 10
> > 24: 11 12 0 1 2 3 4 5
> > 32: 6 7 8 9 10 11 12 0
> > 40: 1 2 3 4 5 6 7 8
> > 48: 9 10 11 12 0 1 2 3
> > 56: 4 5 6 7 8 9 10 11
> > 64: 12 0 1 2 3 4 5 6
> > 72: 7 8 9 10 11 12 0 1
> > 80: 2 3 4 5 6 7 8 9
> > 88: 10 11 12 0 1 2 3 4
> > 96: 5 6 7 8 9 10 11 12
> > 104: 0 1 2 3 4 5 6 7
> > 112: 8 9 10 11 12 0 1 2
> > 120: 3 4 5 6 7 8 9 10
> > 128: 11 12 0 1 2 3 4 5
> > 136: 6 7 8 9 10 11 12 0
> > 144: 1 2 3 4 5 6 7 8
> > 152: 9 10 11 12 0 1 2 3
> > 160: 4 5 6 7 8 9 10 11
> > 168: 12 0 1 2 3 4 5 6
> > 176: 7 8 9 10 11 12 0 1
> > 184: 2 3 4 5 6 7 8 9
> > 192: 10 11 12 0 1 2 3 4
> > 200: 5 6 7 8 9 10 11 12
> > 208: 0 1 2 3 4 5 6 7
> > 216: 8 9 10 11 12 0 1 2
> > 224: 3 4 5 6 7 8 9 10
> > 232: 11 12 0 1 2 3 4 5
> > 240: 6 7 8 9 10 11 12 0
> > 248: 1 2 3 4 5 6 7 8
> > 256: 9 10 11 12 0 1 2 3
> > 264: 4 5 6 7 8 9 10 11
> > 272: 12 0 1 2 3 4 5 6
> > 280: 7 8 9 10 11 12 0 1
> > 288: 2 3 4 5 6 7 8 9
> > 296: 10 11 12 0 1 2 3 4
> > 304: 5 6 7 8 9 10 11 12
> > 312: 0 1 2 3 4 5 6 7
> > 320: 8 9 10 11 12 0 1 2
> > 328: 3 4 5 6 7 8 9 10
> > 336: 11 12 0 1 2 3 4 5
> > 344: 6 7 8 9 10 11 12 0
> > 352: 1 2 3 4 5 6 7 8
> > 360: 9 10 11 12 0 1 2 3
> > 368: 4 5 6 7 8 9 10 11
> > 376: 12 0 1 2 3 4 5 6
> > 384: 7 8 9 10 11 12 0 1
> > 392: 2 3 4 5 6 7 8 9
> > 400: 10 11 12 0 1 2 3 4
> > 408: 5 6 7 8 9 10 11 12
> > 416: 0 1 2 3 4 5 6 7
> > 424: 8 9 10 11 12 0 1 2
> > 432: 3 4 5 6 7 8 9 10
> > 440: 11 12 0 1 2 3 4 5
> > 448: 6 7 8 9 10 11 12 0
> > 456: 1 2 3 4 5 6 7 8
> > 464: 9 10 11 12 0 1 2 3
> > 472: 4 5 6 7 8 9 10 11
> > 480: 12 0 1 2 3 4 5 6
> > 488: 7 8 9 10 11 12 0 1
> > 496: 2 3 4 5 6 7 8 9
> > 504: 10 11 12 0 1 2 3 4
> > RSS hash key:
> > 6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:
> > 5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:
> > 6d:5a:6d:5a:6d:5a
> > RSS hash function:
> > toeplitz: on
> > xor: off
> > crc32: off
> >
> > > ethtool -n your-interface-here
> >
> > 13 RX rings available
> > Total 0 rules
> >
> >
> > > -----Original Message-----
> > > From: Peter Manev <petermanev at gmail.com>
> > > Sent: Saturday, June 8, 2019 12:32 AM
> > > To: ltishend <ltishend at uw.edu>
> > > Cc: oisf-users at lists.openinfosecfoundation.org
> > > Subject: Re: [Oisf-users] Suricata and XDP
> > >
> > > On Sat, Jun 8, 2019 at 12:45 AM ltishend <ltishend at uw.edu> wrote:
> > > > > What is your start command?
> > > >
> > > > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > > > /var/run/suricata.pid --af-packet
> > > >
> > >
> > > Can you please run it again with -
> > > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > > /var/run/suricata.pid -- af-packet -vvv and share the full output?
> > >
> > > Also what is the output of
> > > ethtool -x your-interface-here
> > > ethtool -n your-interface-here
> > >
> > > Thank you
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Peter Manev
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list