<div dir="ltr">Hi Gaetan,<div><br></div><div>are you passing interfaces via command line or via config file?</div><div><br></div><div>Cause if you use a config file it should be pretty easier to setup multiple interfaces. I suppose you are using AF_PACKET, you just have to keep in mind to use different "cluster-id" for each interfaces:</div><div><br></div><div><div>af-packet:</div><div>  - interface: eth0</div><div>    cluster-id: 100</div></div><div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">  - interface: eth1</div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">    cluster-id: 101</div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">  - interface: ethN</div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">    cluster-id: 102</div></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Then you should run:</div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">suricata --af-packet -c <path-to-config></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div>Regards,</div><div>Davide</div><div><br><div class="gmail_extra"><br><div class="gmail_quote">2018-08-21 15:30 GMT+02:00 Piquenot, Gaetan <span dir="ltr"><<a href="mailto:gaetan.piquenot@airbus.com" target="_blank">gaetan.piquenot@airbus.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">





<div lang="FR">
<div class="gmail-m_3765335294971045731WordSection1">
<p class="MsoNormal">Hello,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN-US">I’m trying to make suricata sniffing onto 4 ifaces, but when I put several –i <IFACE NAME> into /etc/sysconfig/suricata (CentOS), I can’t run suricata and get following errors:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">21/8/2018 -- 14:09:03 - <Warning> - [ERRCODE: SC_WARN_PCAP_MULTI_DEV_<wbr>EXPERIMENTAL(177)] - using multiple devices to get packets is experimental.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">{"timestamp":"2018-08-21T14:<wbr>09:03.228795+0200","event_<wbr>type":"engine","engine":{"<wbr>message":"This is Suricata version 4.0.4 RELEASE"}}<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">{"timestamp":"2018-08-21T14:<wbr>09:03.393105+0200","event_<wbr>type":"engine","engine":{"<wbr>message":"all 12 packet processing threads, 4 management threads initialized, engine started."}}<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">{"timestamp":"2018-08-21T14:<wbr>09:03.449420+0200","event_<wbr>type":"engine","engine":{"<wbr>error_code":190,"error":"SC_<wbr>ERR_AFP_CREATE","message":"<wbr>Couldn't set fanout mode, error Invalid argument"}}<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">{"timestamp":"2018-08-21T14:<wbr>09:03.455418+0200","event_<wbr>type":"engine","engine":{"<wbr>error_code":190,"error":"SC_<wbr>ERR_AFP_CREATE","message":"<wbr>Couldn't init AF_PACKET socket, fatal error"}}<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">{"timestamp":"2018-08-21T14:<wbr>09:03.463594+0200","event_<wbr>type":"engine","engine":{"<wbr>error_code":171,"error":"SC_<wbr>ERR_FATAL","message":"thread RX#01-ens225 failed"}}<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I saw this old link <a href="https://lists.openinfosecfoundation.org/pipermail/oisf-users/2015-November/005412.html" target="_blank">
https://lists.<wbr>openinfosecfoundation.org/<wbr>pipermail/oisf-users/2015-<wbr>November/005412.html</a> but my ifaces are configured  and if I use them one by one it’s working.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif">Cordialement.</span></p></div></div></blockquote></div><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" src="http://www.certego.net/email/certego.png" alt="" style="border-radius: 0px;"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Davide Setti</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;font-size:14px;line-height:normal;font-family:sans-serif">R&D and Incident Response Team, Certego</div><div style="padding-top:6px"><a href="http://www.linkedin.com/company/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/linkedin.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/twitter.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://github.com/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/github.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/youtube.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/googleplus.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a></div></td></tr></tbody></table></td></tr></tbody></table><div style="width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224);font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></div></div></div></div>
</div></div></div>