[Oisf-users] [FORGED] [FORGED] Broadcom NetXtreme II BCM5709 NIC

Leonard Jacobs ljacobs at netsecuris.com
Tue Oct 20 23:15:42 UTC 2015 

There is more than one offloading setting that needs to be disabled.

-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Russell Fulton
Sent: Tuesday, October 20, 2015 3:28 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] [FORGED] [FORGED] Broadcom NetXtreme II BCM5709 NIC

yet an other update.

Thanks to Leonard and Duarte for their suggestions.

I had it running with -i eth3 and it worked but dropped lots of packets since there was just one capture thread.  Then puppet updated the rules and restarted suricata with the ‘standard’ setup (i.e. afpacket) and it worked just fine.  <shrug>  Iam not sure what caused the original issue or what changed to resolve it.

I  just checked when I did turned of the ofloading on the NIC and verified that it failed again after I had done that.

What is clear that afpacket works fine with these NICs.

Russell

> On 20 Oct 2015, at 11:32, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> 
> Up date on this:  I have just realised that I have an identical machine with broadcom NICs which is working fine with afpacket — I don’t remember doing anything special to get it going.
> 
> So the question now becomes what is actually wrong here?
> 
> Russell
> 
>> On 20 Oct 2015, at 10:13, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>> 
>> Hi
>> 
>> I have just build an old Dell R610 which has broadcom NICs as a suricata sensor but when I start suri using AFpacket I get a bunch of errors:
>> 
>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 
>> Oct 19 00:30:03 secmonprd05 kernel: [618411.460572] device eth3 
>> entered promiscuous mode Oct 19 00:30:03 secmonprd05 suricata: 
>> 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] 
>> - Coudn't set fanout mode, error Invalid argument Oct 19 00:30:03 
>> secmonprd05 kernel: [618411.507293] device eth3 left promiscuous mode 
>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error Oct 19 00:30:03 secmonprd05 kernel: [618411.511313] device eth3 entered promiscuous mode Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - Signal Received.  Stopping engine.
>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - 
>> <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout 
>> mode, error Invalid argument Oct 19 00:30:03 secmonprd05 last message 
>> repeated 6 times Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 
>> 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't 
>> init AF_PACKET socket, fatal error Oct 19 00:30:03 secmonprd05 
>> kernel: [618411.667074] device eth3 left promiscuous mode Oct 19 
>> 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - 
>> [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, 
>> fatal error Oct 19 00:30:03 secmonprd05 last message repeated 5 times
>> 
>> I conclude that I cant use afpacket with these NICs. 
>> 
>> I am now running using plain old -i eth3 but we are dropping lots of packets.
>> 
>> There are a number of options I can try (buy another nic, pf_ring) but thought I would check that there isn’t anything I can do to get afpacket to work with these NICs.
>> 
>> Russell
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: 
>> http://suricata-ids.org/support/
>> List: 
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: 
>> http://oisfevents.net
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: 
> http://oisfevents.net

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list