[Oisf-users] AF-packet mode not working
Sergio Romero
SRomero at nexica.com
Fri Dec 16 08:29:49 UTC 2016
Hello Eric,
Tried with threads:auto and threads:8 with same results.
Kernel it's a bit outdated 3.10.58-1.el6.elrepo.x86_64 from elrepo.
Do you think that updating the kernel to last release (kernel-lt-3.10.104-1) or maybe upgrading to to ml one kernel-ml-4.8.13-1 or kernel-ml-4.9.0-1 ?
Regards,
-----Mensaje original-----
De: Eric Leblond [mailto:eric at regit.org]
Enviado el: viernes, 16 de diciembre de 2016 9:08
Para: Sergio Romero <SRomero at nexica.net>; oisf-users at lists.openinfosecfoundation.org
Asunto: Re: [Oisf-users] AF-packet mode not working
Hi,
On Fri, 2016-12-16 at 07:54 +0000, Sergio Romero wrote:
> Hello everyone,
>
> Been trying to modify my setup with the new version, starting on af-
> packet mode but it's not working logging starting errors (already
> tried the threads:1 solution for centos6 but with no change)
Centos 6 should be able to run with multiple threads. What is the kernel version ?
> , the mode that works almost good is pcap but with +-40 %
> kernel_drops:
>
> Setup:
> · Suricata 3.2
> · Centos 6 x64
> · Kernel 3.10
> · 2 x XeonE5-2470 0 @ 2.30GHz (8 Cores with HT) --- 32 total ·
> 96GB RAM · 2 x Intel 82599ES 10-Gigabit cards ·
> Sniffer-only
>
> AFpacket Config:
>
> - interface: eth2
> threads: 1
> cluster-id: 98
> cluster-type: cluster_flow
> defrag: yes
> use-mmap: yes
> ring-size: 300000
>
> - interface: eth3
> threads: 1
> cluster-id: 97
> cluster-type: cluster_flow
> defrag: yes
> use-mmap: yes
> ring-size: 300000
>
> Start errors:
>
> 14/12/2016 -- 17:12:42 - <Notice> - This is Suricata version 3.2
> RELEASE
> 14/12/2016 -- 17:12:42 - <Info> - CPUs/cores online: 32
> 14/12/2016 -- 17:12:42 - <Info> - Use pid file /var/run/suricata.pid
> from config file.
> 14/12/2016 -- 17:12:45 - <Info> - 37 rule files processed. 11788 rules
> successfully loaded, 0 rules failed
> 14/12/2016 -- 17:12:45 - <Info> - 11789 signatures processed. 1314 are
> IP-only rules, 4425 are inspecting packet payload, 7558 inspect
> application layer, 0 are decoder event only
> 14/12/2016 -- 17:12:53 - <Info> - Threshold config parsed: 0 rule(s)
> found
> 14/12/2016 -- 17:12:53 - <Info> - fast output device (regular)
> initialized: fast.log
> 14/12/2016 -- 17:12:53 - <Info> - eve-log output device (regular)
> initialized: eve.json
> 14/12/2016 -- 17:12:53 - <Info> - stats output device (regular)
> initialized: stats.log
> 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
> 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
> 14/12/2016 -- 17:12:55 - <Notice> - all 2 packet processing threads,
> 4 management threads initialized, engine started.
> 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
> SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
> 14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect.
> Please correct the devel
> 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)]
> - Couldn't init AF_PACKET socket, fatal error
> 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
> SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
Update configuration to have a block-size variable and increase it till it works
- interface: eth2
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
ring-size: 300000
block-size: 32768
Strange things is that it should not do that on a plain eth. What is the MTU on the iface ?
Alternatively, you can also try to force capture to v2:
tpacket-v3: no
BR,
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list