[Oisf-users] AF_Packet + Multiple interfaces + BPF oddities

Andrew Thrift andrew at networklabs.co.nz
Wed Aug 31 08:40:23 UTC 2016 

Thank you for the reply Andreas

I will log a bug report.

NIC's are Intel x552 and I350.

On 31/08/2016 08:14, "Andreas Herz" <andi at geekosphere.org> wrote:

> On 29/08/16 at 15:13, Andrew Thrift wrote:
> > Hi List,
> >
> > I have Suricata 3.1.1 on Ubuntu Xenial.  I have successfully
> > configured Suricata to use AF_Packet and to listen on multiple
> > interfaces, however when I enable BPF filtering on multiple
> > interfaces, it seems to stop reception of packets on enp2s0, enp3s0
> > and enp4s0.
> >
> > e.g. with the following configuration:
> >
> > #10Gigabit port1
> >   - interface: enp1s0
> >     cluster-id: 98
> >     cluster-type: cluster_flow
> >     defrag: yes
> >     bpf-filter: vlan 12
> > #10Gigabit port2
> >   - interface: enp2s0
> >     cluster-id: 99
> >     cluster-type: cluster_flow
> >     defrag: yes
> >     bpf-filter: vlan 12
> > #1Gbit port1
> >   - interface: enp3s0
> >     cluster-id: 100
> >     cluster-type: cluster_flow
> >     defrag: yes
> >     bpf-filter: vlan 11
> > #1Gbit port2
> >   - interface: enp4s0
> >     cluster-id: 101
> >     cluster-type: cluster_flow
> >     defrag: yes
> >     bpf-filter: vlan 11
> >
> > Suricata will receive traffic on vlan 12 on enp1s0, but all later
> > interfaces will NOT "see" packets.
> >
> > If I remove the BPF filter from enp3s0 and enp4s0 they will start to
> > receive all packets (including on vlan11), but enp2s0 will NOT see
> > packets on vlan12.
> >
> >
> > Is this expected behaviour ?
>
> I don't think so. Can you put this as a bug report on our redmine issue
> tracker?
>
> Also include which network cards you're using. Looks like we need
> someone to reproduce it maybe.
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160831/363e3333/attachment-0002.html>

More information about the Oisf-users mailing list