Hi Stefan,<br>Have you specified "<span lang="EN-US"> interface br0</span>" in the yaml conf file:<br><br><br><blockquote style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
pcap:<br> <b>- interface: br0</b><br> #buffer-size: 32768<br> #bpf-filter: "tcp and port 25"<br> # Choose checksum verification mode for the interface. At the moment<br> # of the capture, some packets may be with an invalid checksum due to<br>
# offloading to the network card of the checksum com<br></blockquote><br>How did you compile Suricata?<br><br>Thanks<br><br><div class="gmail_quote">On Sat, Jun 16, 2012 at 2:13 PM, Stefan Sabolowitsch <span dir="ltr"><<a href="mailto:Stefan.Sabolowitsch@felten-group.com" target="_blank">Stefan.Sabolowitsch@felten-group.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="DE">
<div>
<p class="MsoNormal"><span lang="EN-US">Hi all,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">i have with the latest suricata Version (rev 988c92f) a segfault, never seen before “beta2”.
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Any help ?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Thx<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Stefan<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">-#-#-#- snipp #-#-#-#-#<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:55:49 ipd1 kernel: device br0 left promiscuous mode<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:55:49 ipd1 kernel: device br1 left promiscuous mode<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:55:49 ipd1 sancp: Exiting<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:55:50 ipd1 sancp: Exiting<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:56:41 ipd1 sancp: Retrieved last connection ID: 5754602263574629554 8 0<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:56:41 ipd1 kernel: device br0 entered promiscuous mode<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:56:41 ipd1 sancp: started normally<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:56:53 ipd1 kernel: RxPcapbr010[10498]: segfault at 21 ip 0000000000000021 sp 00007ff755148ce8 error 14<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:56:53 ipd1 kernel: RxPcapbr05[10493]: segfault at 21 ip 0000000000000021 sp 00007ff75a23bce8 error 14 in suricata[400000+179000]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">Jun 16 13:56:53 ipd1 kernel: in suricata[400000+179000]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:56:53 ipd1 kernel: RxPcapbr06[10494]: segfault at 21 ip 0000000000000021 sp 00007ff75983ace8 error 14 in suricata[400000+179000]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:56:58 ipd1 sancp: Retrieved last connection ID: 5754602263574929436 8 0<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:56:58 ipd1 kernel: device br1 entered promiscuous mode<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" lang="EN-US">Jun 16 13:56:58 ipd1 sancp: started normally<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">-#-#-#-#-snapp-+-+-+-+-+-<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">And I found this in the logfile:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10493] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10489] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10491] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10494] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10492] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10495] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10490] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10496] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10498] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10501] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10499] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10500] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10497] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10502] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10503] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10505] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10504] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10507] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10506] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10509] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10508] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10510] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10511] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10512] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10513] 16/6/2012 -- 13:56:52 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10514] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:353) <Info> (ReceivePcapThreadInit) -- using interface br0<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10515] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10516] 16/6/2012 -- 13:56:53 - (source-pcap.c:358) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10517] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10518] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10520] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">[10519] 16/6/2012 -- 13:56:53 - (source-pcap.c:348) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] - Unable to find Live device<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
</div>
</div>
<br>_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>