[Oisf-users] AF-packet mode not working
Sergio Romero
SRomero at nexica.com
Fri Dec 16 07:54:45 UTC 2016
Hello everyone,
Been trying to modify my setup with the new version, starting on af-packet mode but it's not working logging starting errors (already tried the threads:1 solution for centos6 but with no change), the mode that works almost good is pcap but with +-40 % kernel_drops:
Setup:
· Suricata 3.2
· Centos 6 x64
· Kernel 3.10
· 2 x XeonE5-2470 0 @ 2.30GHz (8 Cores with HT) --- 32 total
· 96GB RAM
· 2 x Intel 82599ES 10-Gigabit cards
· Sniffer-only
AFpacket Config:
- interface: eth2
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
ring-size: 300000
- interface: eth3
threads: 1
cluster-id: 97
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
ring-size: 300000
Start errors:
14/12/2016 -- 17:12:42 - <Notice> - This is Suricata version 3.2 RELEASE
14/12/2016 -- 17:12:42 - <Info> - CPUs/cores online: 32
14/12/2016 -- 17:12:42 - <Info> - Use pid file /var/run/suricata.pid from config file.
14/12/2016 -- 17:12:45 - <Info> - 37 rule files processed. 11788 rules successfully loaded, 0 rules failed
14/12/2016 -- 17:12:45 - <Info> - 11789 signatures processed. 1314 are IP-only rules, 4425 are inspecting packet payload, 7558 inspect application layer, 0 are decoder event only
14/12/2016 -- 17:12:53 - <Info> - Threshold config parsed: 0 rule(s) found
14/12/2016 -- 17:12:53 - <Info> - fast output device (regular) initialized: fast.log
14/12/2016 -- 17:12:53 - <Info> - eve-log output device (regular) initialized: eve.json
14/12/2016 -- 17:12:53 - <Info> - stats output device (regular) initialized: stats.log
14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
14/12/2016 -- 17:12:55 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect. Please correct the devel
14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect. Please correct the devel
14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
14/12/2016 -- 17:12:55 - <Notice> - Signal Received. Stopping engine.
14/12/2016 -- 17:12:55 - <Info> - time elapsed 2.440s
14/12/2016 -- 17:12:56 - <Info> - cleaning up signature grouping structure... complete
14/12/2016 -- 17:12:56 - <Notice> - Stats for 'eth2': pkts: 0, drop: 0 (-nan%), invalid chksum: 0
14/12/2016 -- 17:12:56 - <Notice> - Stats for 'eth3': pkts: 0, drop: 0 (-nan%), invalid chksum: 0
Can anyone guide me a little to known what could be the problem or maybe whats wrong with my config ?
Regards!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161216/f911dd59/attachment-0001.html>
More information about the Oisf-users
mailing list