[Oisf-users] Broadcom NetXtreme II BCM5709 NIC

Duarte Silva duarte.silva at serializing.me
Tue Oct 20 04:43:45 UTC 2015 

Hi Russel,

the only thing that comes to my mind is the Kernel version. Does it fully support AF_PACKET fanout?

Cheers,
Duarte

-----Original Message-----
From: "Russell Fulton" <r.fulton at auckland.ac.nz>
Sent: ‎19/‎10/‎2015 23:13
To: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: [Oisf-users] Broadcom NetXtreme II BCM5709 NIC

Hi

I have just build an old Dell R610 which has broadcom NICs as a suricata sensor but when I start suri using AFpacket I get a bunch of errors:

Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 
Oct 19 00:30:03 secmonprd05 kernel: [618411.460572] device eth3 entered promiscuous mode
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Invalid argument 
Oct 19 00:30:03 secmonprd05 kernel: [618411.507293] device eth3 left promiscuous mode
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error 
Oct 19 00:30:03 secmonprd05 kernel: [618411.511313] device eth3 entered promiscuous mode
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - Signal Received.  Stopping engine. 
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Invalid argument 
Oct 19 00:30:03 secmonprd05 last message repeated 6 times
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error 
Oct 19 00:30:03 secmonprd05 kernel: [618411.667074] device eth3 left promiscuous mode
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error 
Oct 19 00:30:03 secmonprd05 last message repeated 5 times

I conclude that I cant use afpacket with these NICs. 

I am now running using plain old -i eth3 but we are dropping lots of packets.

There are a number of options I can try (buy another nic, pf_ring) but thought I would check that there isn’t anything I can do to get afpacket to work with these NICs.

Russell
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151020/0f7fd58c/attachment-0002.html>

More information about the Oisf-users mailing list