[Oisf-users] [FORGED] [FORGED] Broadcom NetXtreme II BCM5709 NIC

Peter Manev petermanev at gmail.com
Tue Oct 20 21:00:14 UTC 2015 

On Tue, Oct 20, 2015 at 10:27 PM, Russell Fulton
<r.fulton at auckland.ac.nz> wrote:
> yet an other update.
>
> Thanks to Leonard and Duarte for their suggestions.
>
> I had it running with -i eth3 and it worked but dropped lots of packets since there was just one capture thread.  Then puppet updated the rules and restarted suricata with the ‘standard’ setup (i.e. afpacket) and it worked just fine.  <shrug>  Iam not sure what caused the original issue or what changed to resolve it.
>
> I  just checked when I did turned of the ofloading on the NIC and verified that it failed again after I had done that.
>
> What is clear that afpacket works fine with these NICs.

What is different then in the set ups?

>
> Russell
>
>> On 20 Oct 2015, at 11:32, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>>
>> Up date on this:  I have just realised that I have an identical machine with broadcom NICs which is working fine with afpacket — I don’t remember doing anything special to get it going.
>>
>> So the question now becomes what is actually wrong here?
>>
>> Russell
>>
>>> On 20 Oct 2015, at 10:13, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>>>
>>> Hi
>>>
>>> I have just build an old Dell R610 which has broadcom NICs as a suricata sensor but when I start suri using AFpacket I get a bunch of errors:
>>>
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started.
>>> Oct 19 00:30:03 secmonprd05 kernel: [618411.460572] device eth3 entered promiscuous mode
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Invalid argument
>>> Oct 19 00:30:03 secmonprd05 kernel: [618411.507293] device eth3 left promiscuous mode
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
>>> Oct 19 00:30:03 secmonprd05 kernel: [618411.511313] device eth3 entered promiscuous mode
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - Signal Received.  Stopping engine.
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Invalid argument
>>> Oct 19 00:30:03 secmonprd05 last message repeated 6 times
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
>>> Oct 19 00:30:03 secmonprd05 kernel: [618411.667074] device eth3 left promiscuous mode
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
>>> Oct 19 00:30:03 secmonprd05 last message repeated 5 times
>>>
>>> I conclude that I cant use afpacket with these NICs.
>>>
>>> I am now running using plain old -i eth3 but we are dropping lots of packets.
>>>
>>> There are a number of options I can try (buy another nic, pf_ring) but thought I would check that there isn’t anything I can do to get afpacket to work with these NICs.
>>>
>>> Russell
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list