<div dir="ltr"><div dir="ltr"><div>Hello again Andreas,<br></div><div><br></div><div>I got around to finally filing this one today as well :) It is still happening after we upgraded to 4.1.4. See <a href="https://redmine.openinfosecfoundation.org/issues/3004">https://redmine.openinfosecfoundation.org/issues/3004</a>.<br></div><div><br></div><div>Thank you,</div><div>Eric<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 30, 2019 at 3:58 PM Andreas Herz <<a href="mailto:andi@geekosphere.org">andi@geekosphere.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Eric,<br>
<br>
could you track this with those details in our redmine issue tracker?<br>
<br>
And double check if it's happenning with 4.1.4 as well :)<br>
<br>
On 26/04/19 at 13:06, Eric Urban wrote:<br>
> We are currently testing Suricata 4.1.3. Whenever we perform a rule<br>
> reload, we get the error SC_ERR_PCAP_DISPATCH with an error code of -2.<br>
> Here is the output from suricata.log:<br>
> <br>
> {"timestamp":"2019-04-26T10:07:54.238852-0500","log_level":"Error","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"error<br>
> code -2 "}}<br>
> {"timestamp":"2019-04-26T10:07:54.664296-0500","log_level":"Info","event_type":"engine","engine":{"message":"cleaning<br>
> up signature grouping structure... complete"}}<br>
> {"timestamp":"2019-04-26T10:07:54.665821-0500","log_level":"Notice","event_type":"engine","engine":{"message":"rule<br>
> reload complete"}}<br>
> <br>
> We do not get this error in 4.0.6. I am not sure at this point whether<br>
> this is a non-issue or if it does in fact affect alerting?<br>
> <br>
> I believe this error is coming from source-pcap.c on line 269 (<br>
> <a href="https://github.com/OISF/suricata/blob/7f38ffc8bcfa3bca793eb3be41f112634b48de2a/src/source-pcap.c#L269" rel="noreferrer" target="_blank">https://github.com/OISF/suricata/blob/7f38ffc8bcfa3bca793eb3be41f112634b48de2a/src/source-pcap.c#L269</a>),<br>
> since we aren't loading a pcap file in this case and that is mostly where<br>
> else this error is thrown.<br>
> <br>
> There is a pcap_dispatch call above this one (line 265) and the conditional<br>
> on line 267 to enter the trigger for this error checks that the return from<br>
> pcap_dispatch is < 0. The PCAP_ERROR_BREAK (-2) code would be handled on<br>
> line 272 once inside of here. There is a pcap_breakloop() call (line 226)<br>
> inside PcapCallbackLoop which is called on line 266, but I believe this may<br>
> be the result of the change for 4.1.3 in<br>
> <a href="https://github.com/OISF/suricata/commit/bb26e6216e5190d841529c0ecb1292b9a358ed54#diff-2079412a59d37868318fc953aeddef52" rel="noreferrer" target="_blank">https://github.com/OISF/suricata/commit/bb26e6216e5190d841529c0ecb1292b9a358ed54#diff-2079412a59d37868318fc953aeddef52</a><br>
> where<br>
> ReceivePcapBreakLoop was created for PktAcqBreakLoop. So possibly in<br>
> tm-threads.c at<br>
> <a href="https://github.com/OISF/suricata/blob/d6903e70c1b653984ca95f8808755efbc6a9ece4/src/tm-threads.c#L1610" rel="noreferrer" target="_blank">https://github.com/OISF/suricata/blob/d6903e70c1b653984ca95f8808755efbc6a9ece4/src/tm-threads.c#L1610</a><br>
> ?<br>
> <br>
> Does this seem right or am I on the wrong track? If that is how the error<br>
> occurs, then I believe we would be losing a half second (at least) of<br>
> traffic visibility due to the reconnect on line 277 of source-pcap.c.<br>
> <br>
> I am curious if anyone else using pcap capture method running 4.1.3 or<br>
> other versions has experienced this?<br>
> <br>
> -- <br>
> Eric Urban<br>
> University Information Security | Office of Information Technology |<br>
> <a href="http://it.umn.edu" rel="noreferrer" target="_blank">it.umn.edu</a><br>
> University of Minnesota | <a href="http://umn.edu" rel="noreferrer" target="_blank">umn.edu</a><br>
> <a href="mailto:eurban@umn.edu" target="_blank">eurban@umn.edu</a><br>
<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> <br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><br>
<br>
<br>
-- <br>
Andreas Herz<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div></div>