[Oisf-users] Broadcom NetXtreme II BCM5709 NIC

Leonard Jacobs ljacobs at netsecuris.com
Tue Oct 20 04:49:48 UTC 2015 

Could it be NIC offloading needs to be disabled?
 
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Duarte Silva
Sent: Monday, October 19, 2015 11:44 PM
To: Russell Fulton; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Broadcom NetXtreme II BCM5709 NIC
 
Hi Russel,

the only thing that comes to my mind is the Kernel version. Does it fully support AF_PACKET fanout?

Cheers,
Duarte


From: Russell Fulton
Sent: ‎19/‎10/‎2015 23:13
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Broadcom NetXtreme II BCM5709 NIC
Hi

I have just build an old Dell R610 which has broadcom NICs as a suricata sensor but when I start suri using AFpacket I get a bunch of errors:

Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 
Oct 19 00:30:03 secmonprd05 kernel: [618411.460572] device eth3 entered promiscuous mode
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Invalid argument 
Oct 19 00:30:03 secmonprd05 kernel: [618411.507293] device eth3 left promiscuous mode
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error 
Oct 19 00:30:03 secmonprd05 kernel: [618411.511313] device eth3 entered promiscuous mode
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - Signal Received.  Stopping engine. 
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Invalid argument 
Oct 19 00:30:03 secmonprd05 last message repeated 6 times
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error 
Oct 19 00:30:03 secmonprd05 kernel: [618411.667074] device eth3 left promiscuous mode
Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error 
Oct 19 00:30:03 secmonprd05 last message repeated 5 times

I conclude that I cant use afpacket with these NICs. 

I am now running using plain old -i eth3 but we are dropping lots of packets.

There are a number of options I can try (buy another nic, pf_ring) but thought I would check that there isn’t anything I can do to get afpacket to work with these NICs.

Russell
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151019/b432b0cb/attachment-0002.html>

More information about the Oisf-users mailing list