<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I added "-vvv" parameters. The log is below .</p>
<p>I found a problem, but how can I fix, I don't know.<br>
Problem is arp. I can't see arp request on "tcpdump" or "ip
monitor all" while running suricata.<br>
<br>
<b>Client Arp Table</b><br>
</p>
<p>? (10.1.8.1) at <incomplete> on eth8<br>
<br>
</p>
<p>suricata -c /etc/suricata/suricata.yaml --netmap -vvv</p>
<p>15/1/2018 -- 18:44:49 - <Notice> - This is Suricata version
4.0.3 RELEASE<br>
15/1/2018 -- 18:44:49 - <Info> - CPUs/cores online: 12<br>
15/1/2018 -- 18:44:49 - <Config> - Adding interface ens15f0
from config file<br>
15/1/2018 -- 18:44:49 - <Config> - Adding interface ens15f1
from config file<br>
15/1/2018 -- 18:44:49 - <Info> - Netmap: Setting IPS mode<br>
15/1/2018 -- 18:44:49 - <Config> - 'default' server has
'request-body-minimal-inspect-size' set to 31926 and
'request-body-inspect-window' set to 3968 after
randomization. <br>
15/1/2018 -- 18:44:49 - <Config> - 'default' server has
'response-body-minimal-inspect-size' set to 39564 and
'response-body-inspect-window' set to 15737 after randomization.<br>
15/1/2018 -- 18:44:49 - <Config> - DNS request flood
protection level: 500<br>
15/1/2018 -- 18:44:49 - <Config> - DNS per flow memcap
(state-memcap): 524288<br>
15/1/2018 -- 18:44:49 - <Config> - DNS global memcap:
16777216<br>
15/1/2018 -- 18:44:49 - <Config> - Protocol detection and
parser disabled for modbus protocol.<br>
15/1/2018 -- 18:44:49 - <Config> - Protocol detection and
parser disabled for enip protocol.<br>
15/1/2018 -- 18:44:49 - <Config> - Protocol detection and
parser disabled for DNP3.<br>
15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for
'ens15f0'<br>
15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for
'ens15f0'<br>
15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for
'ens15f1'<br>
15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for
'ens15f1'<br>
15/1/2018 -- 18:44:49 - <Config> - allocated 262144 bytes of
memory for the host hash... 4096 buckets of size 64<br>
15/1/2018 -- 18:44:49 - <Config> - preallocated 1000 hosts
of size 136<br>
15/1/2018 -- 18:44:49 - <Config> - host memory usage: 398144
bytes, maximum: 33554432<br>
15/1/2018 -- 18:44:49 - <Config> - Core dump size set to
unlimited.<br>
15/1/2018 -- 18:44:49 - <Config> - allocated 3670016 bytes
of memory for the defrag hash... 65536 buckets of size 56<br>
15/1/2018 -- 18:44:49 - <Config> - preallocated 65535 defrag
trackers of size 168<br>
15/1/2018 -- 18:44:49 - <Config> - defrag memory usage:
14679896 bytes, maximum: 33554432<br>
15/1/2018 -- 18:44:49 - <Config> - stream
"prealloc-sessions": 2048 (per thread)<br>
15/1/2018 -- 18:44:49 - <Config> - stream "memcap": 67108864<br>
15/1/2018 -- 18:44:49 - <Config> - stream "midstream"
session pickups: disabled<br>
15/1/2018 -- 18:44:49 - <Config> - stream "async-oneside":
disabled<br>
15/1/2018 -- 18:44:49 - <Config> - stream
"checksum-validation": enabled<br>
15/1/2018 -- 18:44:49 - <Config> - stream."inline": enabled<br>
15/1/2018 -- 18:44:49 - <Config> - stream "bypass": disabled<br>
15/1/2018 -- 18:44:49 - <Config> - stream
"max-synack-queued": 5<br>
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
"memcap": 268435456<br>
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
"depth": 1048576<br>
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
"toserver-chunk-size": 2469<br>
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
"toclient-chunk-size": 2572<br>
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly.raw:
enabled<br>
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
"segment-prealloc": 2048<br>
15/1/2018 -- 18:44:49 - <Config> - Delayed detect disabled<br>
15/1/2018 -- 18:44:49 - <Info> - Running in live mode,
activating unix socket<br>
15/1/2018 -- 18:44:49 - <Config> - pattern matchers: MPM:
ac, SPM: bm<br>
15/1/2018 -- 18:44:49 - <Config> - grouping: tcp-whitelist
(default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667,
8080<br>
15/1/2018 -- 18:44:49 - <Config> - grouping: udp-whitelist
(default) 53, 135, 5060<br>
15/1/2018 -- 18:44:49 - <Config> - prefilter engines: MPM<br>
15/1/2018 -- 18:44:49 - <Config> - IP reputation disabled<br>
15/1/2018 -- 18:44:49 - <Config> - Loading rule file:
/var/lib/suricata/rules/suricata.rules<br>
15/1/2018 -- 18:44:56 - <Info> - 1 rule files processed.
18586 rules successfully loaded, 0 rules failed<br>
15/1/2018 -- 18:44:56 - <Info> - Threshold config parsed: 0
rule(s) found<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
tcp-packet<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
tcp-stream<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
udp-packet<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
other-ip<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_uri<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_request_line<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_client_body<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_response_line<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_header<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_header<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_header_names<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_header_names<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_accept<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_accept_enc<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_accept_lang<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_referer<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_connection<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_content_len<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_content_len<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_content_type<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_content_type<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_protocol<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_protocol<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_start<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_start<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_raw_header<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_raw_header<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_method<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_cookie<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_cookie<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_raw_uri<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_user_agent<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_host<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_raw_host<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_stat_msg<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_stat_code<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
dns_query<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
tls_sni<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
tls_cert_issuer<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
tls_cert_subject<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
tls_cert_serial<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
dce_stub_data<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
dce_stub_data<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
ssh_protocol<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
ssh_protocol<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
ssh_software<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
ssh_software<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
file_data<br>
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
file_data<br>
15/1/2018 -- 18:44:56 - <Info> - 18591 signatures processed.
1144 are IP-only rules, 6288 are inspecting packet payload, 13278
inspect application layer, 0 are decoder event only<br>
15/1/2018 -- 18:44:56 - <Config> - building signature
grouping structure, stage 1: preprocessing rules... complete<br>
15/1/2018 -- 18:44:56 - <Perf> - TCP toserver: 41 port
groups, 32 unique SGH's, 9 copies<br>
15/1/2018 -- 18:44:56 - <Perf> - TCP toclient: 21 port
groups, 21 unique SGH's, 0 copies<br>
15/1/2018 -- 18:44:56 - <Perf> - UDP toserver: 41 port
groups, 32 unique SGH's, 9 copies<br>
15/1/2018 -- 18:44:56 - <Perf> - UDP toclient: 21 port
groups, 15 unique SGH's, 6 copies<br>
15/1/2018 -- 18:44:56 - <Perf> - OTHER toserver: 254 proto
groups, 3 unique SGH's, 251 copies<br>
15/1/2018 -- 18:44:56 - <Perf> - OTHER toclient: 254 proto
groups, 0 unique SGH's, 254 copies<br>
15/1/2018 -- 18:44:57 - <Perf> - Unique rule groups: 103<br>
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toserver TCP
packet": 21<br>
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toclient TCP
packet": 20<br>
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toserver TCP
stream": 20<br>
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toclient TCP
stream": 21<br>
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toserver UDP
packet": 32<br>
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toclient UDP
packet": 14<br>
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "other IP
packet": 2<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_uri": 6<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_request_line": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_client_body": 5<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
http_response_line": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_header": 6<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
http_header": 3<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_header_names": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_accept": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_referer": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_content_len": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_content_type": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
http_content_type": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_start": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_raw_header": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
http_raw_header": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_method": 3<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_cookie": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
http_cookie": 2<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_raw_uri": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_user_agent": 4<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_host": 2<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
http_stat_code": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
dns_query": 4<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
tls_sni": 2<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
tls_cert_issuer": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
tls_cert_subject": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
tls_cert_serial": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
ssh_protocol": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
file_data": 1<br>
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
file_data": 5<br>
15/1/2018 -- 18:44:57 - <Info> - fast output device
(regular) initialized: fast.log<br>
15/1/2018 -- 18:44:57 - <Info> - eve-log output device
(regular) initialized: eve.json<br>
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module
'alert'<br>
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module
'http'<br>
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module
'dns'<br>
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module
'tls'<br>
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module
'files'<br>
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module
'smtp'<br>
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module
'ssh'<br>
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module
'stats'<br>
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module
'flow'<br>
15/1/2018 -- 18:44:57 - <Info> - stats output device
(regular) initialized: stats.log<br>
15/1/2018 -- 18:44:57 - <Info> - Found 1 RX RSS queues for
'ens15f0'<br>
15/1/2018 -- 18:44:57 - <Info> - Found 1 RX RSS queues for
'ens15f1'<br>
15/1/2018 -- 18:44:57 - <Perf> - Using 1 threads for
interface ens15f0<br>
15/1/2018 -- 18:44:57 - <Info> - Going to use 1 thread(s)<br>
15/1/2018 -- 18:44:58 - <Perf> - Enabling zero copy mode for
ens15f0->ens15f1<br>
15/1/2018 -- 18:44:58 - <Info> - Found 1 RX RSS queues for
'ens15f1'<br>
15/1/2018 -- 18:44:58 - <Info> - Found 1 RX RSS queues for
'ens15f0'<br>
15/1/2018 -- 18:44:58 - <Perf> - Using 1 threads for
interface ens15f1<br>
15/1/2018 -- 18:44:58 - <Info> - Going to use 1 thread(s)<br>
15/1/2018 -- 18:44:58 - <Perf> - Enabling zero copy mode for
ens15f1->ens15f0<br>
15/1/2018 -- 18:44:58 - <Config> - using 1 flow manager
threads<br>
15/1/2018 -- 18:44:58 - <Config> - using 1 flow recycler
threads<br>
15/1/2018 -- 18:44:58 - <Info> - Running in live mode,
activating unix socket<br>
15/1/2018 -- 18:44:58 - <Info> - Using unix socket file
'/var/run/suricata/suricata-command.socket'<br>
15/1/2018 -- 18:44:58 - <Notice> - all 2 packet processing
threads, 4 management threads initialized, engine started.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<pre class="moz-signature" cols="72">Fatih USTA</pre>
<div class="moz-cite-prefix">On 15-01-2018 17:07, Fatih USTA wrote:<br>
</div>
<blockquote type="cite"
cite="mid:550793fd-d92e-82d8-7472-7cdd8934dbfc@gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p>Hi <br>
</p>
<p>I'm working on suricata with netmap. <br>
</p>
<p>I builded suricata 4.0.3 with netmap on centos 7(kernel
3.10.xx).<br>
<br>
I disabled rx/tx and lro/gro<br>
</p>
<p>ethtool -K ens15f0 lro off gro off<br>
ethtool -K ens15f1 lro off gro off<br>
<br>
ethtool -A ens15f0 rx off tx off<br>
ethtool -A ens15f1 rx off tx off<br>
</p>
<p>Traffic does not forward when I start suricata.<br>
</p>
<p>From 10.1.8.2 icmp_seq=18 Destination Host Unreachable<br>
From 10.1.8.2 icmp_seq=19 Destination Host Unreachable<br>
</p>
<p>Any idea? Thank you for your help.<br>
</p>
<p><b>my suricata config</b><br>
</p>
<p>netmap:<br>
- inteface: default<br>
</p>
<p> - interface: ens15f0<br>
copy-iface: ens15f1<br>
copy-mode: ips<br>
disable-promisc: no<br>
checksum-checks: auto<br>
threads: auto</p>
<p> - interface: ens15f1<br>
copy-iface: ens15f0<br>
copy-mode: ips<br>
disable-promisc: no<br>
checksum-checks: auto<br>
threads: auto</p>
<p><b>Kenel Modules</b><br>
</p>
<p>[root@centos7 ~]# lsmod | grep netmap<br>
netmap 154288 2 igb,ixgbe<br>
<br>
</p>
<p><b>Build INFO</b><br>
[root@centos7 ~]# suricata --build-info<br>
This is Suricata version 4.0.3 RELEASE<br>
Features: NFQ PCAP_SET_BUFF AF_PACKET NETMAP HAVE_PACKET_FANOUT
LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT
HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC <br>
SIMD support: none<br>
Atomic intrisics: 1 2 4 8 byte(s)<br>
64-bits, Little-endian architecture<br>
GCC version 4.8.5 20150623 (Red Hat 4.8.5-16), C version 199901<br>
compiled with _FORTIFY_SOURCE=2<br>
L1 cache line size (CLS)=64<br>
thread local storage method: __thread<br>
compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25<br>
<br>
Suricata Configuration:<br>
AF_PACKET support: yes<br>
PF_RING support: no<br>
NFQueue support: yes<br>
NFLOG support: yes<br>
IPFW support: no<br>
Netmap support: yes<br>
DAG enabled: no<br>
Napatech enabled: no<br>
<br>
Unix socket enabled: yes<br>
Detection enabled: yes<br>
<br>
Libmagic support: yes<br>
libnss support: yes<br>
libnspr support: yes<br>
libjansson support: yes<br>
hiredis support: yes<br>
hiredis async with libevent: yes<br>
Prelude support: yes<br>
PCRE jit: yes<br>
LUA support: yes<br>
libluajit: no<br>
libgeoip: yes<br>
Non-bundled htp: no<br>
Old barnyard2 support: no<br>
CUDA enabled: no<br>
Hyperscan support: no<br>
Libnet support: yes<br>
<br>
Rust support (experimental): no<br>
Experimental Rust parsers: no<br>
Rust strict mode: no<br>
<br>
Suricatasc install: yes<br>
<br>
Profiling enabled: no<br>
Profiling locks enabled: no<br>
<br>
Development settings:<br>
Coccinelle / spatch: no<br>
Unit tests enabled: no<br>
Debug output enabled: no<br>
Debug validation enabled: no<br>
<br>
Generic build parameters:<br>
Installation prefix: /usr<br>
Configuration directory: /etc/suricata/<br>
Log directory: /var/log/suricata/<br>
<br>
--prefix /usr<br>
--sysconfdir /etc<br>
--localstatedir /var<br>
<br>
Host:
x86_64-redhat-linux-gnu<br>
Compiler: gcc -std=gnu99 (exec
name) / gcc (real)<br>
GCC Protect enabled: yes<br>
GCC march native enabled: no<br>
GCC Profile enabled: no<br>
Position Independent Executable enabled: yes<br>
CFLAGS -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64
-mtune=generic<br>
PCAP_CFLAGS <br>
SECCFLAGS -fstack-protector
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security<br>
<br>
</p>
<pre class="moz-signature" cols="72">--
Fatih USTA</pre>
</blockquote>
<br>
</body>
</html>