[Oisf-users] [FORGED] [FORGED] Broadcom NetXtreme II BCM5709 NIC

Russell Fulton r.fulton at auckland.ac.nz
Tue Oct 20 23:25:26 UTC 2015


> On 21 Oct 2015, at 12:15, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> 
> There is more than one offloading setting that needs to be disabled.

here is my script which puppet builds for each sensor

#!/bin/bash
ethtool -K eth3 tso off
ethtool -K eth3 gro off
ethtool -K eth3 ufo off
ethtool -K eth3 lro off
ethtool -K eth3 gso off
ethtool -K eth3 rx off
ethtool -K eth3 tx off
ethtool -K eth3 sg off
ethtool -K eth3 rxvlan off
ethtool -K eth3 txvlan off
ethtool -N eth3 rx-flow-hash udp4 sdfn
ethtool -N eth3 rx-flow-hash udp6 sdfn
ethtool -C eth3 rx-usecs 1 rx-frames 0
ethtool -C eth3 adaptive-rx off

which gets run on setup and in cron to run after each reboot.  ;)

If I have missed something I would love to know!

Russell

> 
> -----Original Message-----
> From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Russell Fulton
> Sent: Tuesday, October 20, 2015 3:28 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] [FORGED] [FORGED] Broadcom NetXtreme II BCM5709 NIC
> 
> yet an other update.
> 
> Thanks to Leonard and Duarte for their suggestions.
> 
> I had it running with -i eth3 and it worked but dropped lots of packets since there was just one capture thread.  Then puppet updated the rules and restarted suricata with the ‘standard’ setup (i.e. afpacket) and it worked just fine.  <shrug>  Iam not sure what caused the original issue or what changed to resolve it.
> 
> I  just checked when I did turned of the ofloading on the NIC and verified that it failed again after I had done that.
> 
> What is clear that afpacket works fine with these NICs.
> 
> Russell
> 
>> On 20 Oct 2015, at 11:32, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>> 
>> Up date on this:  I have just realised that I have an identical machine with broadcom NICs which is working fine with afpacket — I don’t remember doing anything special to get it going.
>> 
>> So the question now becomes what is actually wrong here?
>> 
>> Russell
>> 
>>> On 20 Oct 2015, at 10:13, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>>> 
>>> Hi
>>> 
>>> I have just build an old Dell R610 which has broadcom NICs as a suricata sensor but when I start suri using AFpacket I get a bunch of errors:
>>> 
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 
>>> Oct 19 00:30:03 secmonprd05 kernel: [618411.460572] device eth3 
>>> entered promiscuous mode Oct 19 00:30:03 secmonprd05 suricata: 
>>> 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] 
>>> - Coudn't set fanout mode, error Invalid argument Oct 19 00:30:03 
>>> secmonprd05 kernel: [618411.507293] device eth3 left promiscuous mode 
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error Oct 19 00:30:03 secmonprd05 kernel: [618411.511313] device eth3 entered promiscuous mode Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - Signal Received.  Stopping engine.
>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - 
>>> <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout 
>>> mode, error Invalid argument Oct 19 00:30:03 secmonprd05 last message 
>>> repeated 6 times Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 
>>> 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't 
>>> init AF_PACKET socket, fatal error Oct 19 00:30:03 secmonprd05 
>>> kernel: [618411.667074] device eth3 left promiscuous mode Oct 19 
>>> 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - 
>>> [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, 
>>> fatal error Oct 19 00:30:03 secmonprd05 last message repeated 5 times
>>> 
>>> I conclude that I cant use afpacket with these NICs. 
>>> 
>>> I am now running using plain old -i eth3 but we are dropping lots of packets.
>>> 
>>> There are a number of options I can try (buy another nic, pf_ring) but thought I would check that there isn’t anything I can do to get afpacket to work with these NICs.
>>> 
>>> Russell
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: 
>>> http://suricata-ids.org/support/
>>> List: 
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona: 
>>> http://oisfevents.net
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: 
>> http://suricata-ids.org/support/
>> List: 
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: 
>> http://oisfevents.net
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 




More information about the Oisf-users mailing list