<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><br><div dir="ltr"><br>On 8 Nov 2018, at 10:04, bush <<a href="mailto:djw25521@163.com">djw25521@163.com</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">Hi,<br><br><div>Thanks for your reply.</div><div><br></div><div>use "<span style="font-family: arial; white-space: pre-wrap;">suricata -c /data/wangdj/suricata/etc/suricata/suricata.yaml --init-errors-fatal --pcap=eth2</span>" command can work in addition to this warning: </div><div><Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems</div><div><br></div>My kernel verison is 2.6.32. Is this version too old to support <span style="font-family: arial; white-space: pre-wrap;">AF_PACKET?</span></div></div></blockquote><div><br></div><div>Yes - both Suricata and kernel versions are too old. </div><div>You should try the freshly released 4.1 - has a bunch of more features.</div><div><a href="https://suricata-ids.org/2018/11/06/suricata-4-1-released/">https://suricata-ids.org/2018/11/06/suricata-4-1-released/</a></div><br><blockquote type="cite"><div dir="ltr"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div style="position:relative;zoom:1">--<br><div>Best Regards</div><div>Wangdejin</div><div style="clear:both"></div></div><div id="divNeteaseMailCard"></div><br><pre><br>At 2018-11-08 15:57:16, "Eric Leblond" <<a href="mailto:eric@regit.org">eric@regit.org</a>> wrote:
>Hello,
>
>On Thu, 2018-11-08 at 15:48 +0800, bush wrote:
>> Hi,
>>
>> When i run suricata, i got some errors. The information is below:
>> #suricata -c /data/wangdj/suricata/etc/suricata/suricata.yaml -i eth2
>> --init-errors-fatal
>> 8/11/2018 -- 15:26:23 - <Notice> - This is Suricata version 3.1
>> RELEASE
>...
>> 8/11/2018 -- 15:26:37 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] -
>> Couldn't init AF_PACKET socket, fatal error
>> 8/11/2018 -- 15:26:38 - <Notice> - Stats for 'eth2': pkts: 0, drop:
>> 0 (-nan%), invalid chksum: 0
>>
>> variables suricata.yaml
>> The af-packet options in suricata.yaml configure file are set as
>> following:
>> af-packet:
>> - interface: eth2
>> cluster-id: 99
>> cluster-type: cluster_flow
>> defrag: yes
>> - interface: default
>>
>> My OS is: CentOS release 6.4 (Final)
>
>This may be a bit old for AF_PACKET. What kernel is running there ?
>
>Can you try
>
>suricata -c /data/wangdj/suricata/etc/suricata/suricata.yaml --init-errors-fatal --pcap=eth2
>
>to force libpcap support and see if this one is working correctly ?
>
>BR,
>--
>Eric Leblond <<a href="mailto:eric@regit.org">eric@regit.org</a>>
</pre></div><br><br><span title="neteasefooter"><p> </p></span></div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span></div></blockquote></body></html>