[Oisf-users] AF-packet mode not working

Eric Leblond eric at regit.org
Fri Dec 16 09:00:01 UTC 2016 

Hi,

On Fri, 2016-12-16 at 08:29 +0000, Sergio Romero wrote:
> Hello Eric,
> 
> Tried with threads:auto and threads:8  with same results.
> 
> Kernel it's a bit outdated 3.10.58-1.el6.elrepo.x86_64 from elrepo.

Wow, middle age is calling you.

> Do you think that updating the kernel to last release (kernel-lt-
> 3.10.104-1) or maybe upgrading to to ml one kernel-ml-4.8.13-1 or
> kernel-ml-4.9.0-1 ?

If you wanna keep 3.10 then use pcap or pfring capture method. If you
can upgrade, then pick one of these two. Maybe 4.8.13 is a little bit
more mature than the 4.9 so more change it is more stable.

BR,
--
Eric

> 
> Regards,
> 
> -----Mensaje original-----
> De: Eric Leblond [mailto:eric at regit.org> Enviado el: viernes, 16 de diciembre de 2016 9:08
> Para: Sergio Romero <SRomero at nexica.net>; oisf-users at lists.openinfose
> cfoundation.org
> Asunto: Re: [Oisf-users] AF-packet mode not working
> 
> Hi,
> 
> On Fri, 2016-12-16 at 07:54 +0000, Sergio Romero wrote:
> > Hello everyone,
> >  
> > Been trying to modify my setup with the new version, starting on
> > af- 
> > packet mode but it's not working logging starting errors (already 
> > tried the threads:1 solution for centos6 but with no change)
> 
> Centos 6 should be able to run with multiple threads. What is the
> kernel version ?
> 
> > , the mode that works almost good is pcap but with +-40 %
> > kernel_drops:
> >  
> > Setup:
> > ·         Suricata 3.2
> > ·         Centos 6 x64
> > ·         Kernel 3.10
> > ·         2 x XeonE5-2470 0 @ 2.30GHz (8 Cores with HT) --- 32
> > total ·         
> > 96GB RAM ·         2 x Intel 82599ES 10-Gigabit cards ·         
> > Sniffer-only
> >  
> > AFpacket Config:
> >  
> >   - interface: eth2
> >     threads: 1
> >     cluster-id: 98
> >     cluster-type: cluster_flow
> >     defrag: yes
> >     use-mmap: yes
> >     ring-size: 300000
> >  
> >   - interface: eth3
> >     threads: 1
> >     cluster-id: 97
> >     cluster-type: cluster_flow
> >     defrag: yes
> >     use-mmap: yes
> >     ring-size: 300000
> >  
> > Start errors:
> >  
> > 14/12/2016 -- 17:12:42 - <Notice> - This is Suricata version 3.2 
> > RELEASE
> > 14/12/2016 -- 17:12:42 - <Info> - CPUs/cores online: 32
> > 14/12/2016 -- 17:12:42 - <Info> - Use pid file
> > /var/run/suricata.pid 
> > from config file.
> > 14/12/2016 -- 17:12:45 - <Info> - 37 rule files processed. 11788
> > rules 
> > successfully loaded, 0 rules failed
> > 14/12/2016 -- 17:12:45 - <Info> - 11789 signatures processed. 1314
> > are 
> > IP-only rules, 4425 are inspecting packet payload, 7558 inspect 
> > application layer, 0 are decoder event only
> > 14/12/2016 -- 17:12:53 - <Info> - Threshold config parsed: 0
> > rule(s) 
> > found
> > 14/12/2016 -- 17:12:53 - <Info> - fast output device (regular)
> > initialized: fast.log
> > 14/12/2016 -- 17:12:53 - <Info> - eve-log output device (regular)
> > initialized: eve.json
> > 14/12/2016 -- 17:12:53 - <Info> - stats output device (regular)
> > initialized: stats.log
> > 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
> > 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
> > 14/12/2016 -- 17:12:55 - <Notice> - all 2 packet processing
> > threads,
> > 4 management threads initialized, engine started.
> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
> > SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
> > 14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect.
> > Please correct the devel
> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
> > SC_ERR_AFP_CREATE(190)]
> > - Couldn't init AF_PACKET socket, fatal error
> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
> > SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
> 
> 
> Update configuration to have a block-size variable and increase it
> till it works
> 
>   - interface: eth2
>       threads: 1
>       cluster-id: 98
>       cluster-type: cluster_flow
>       defrag: yes
>       use-mmap: yes
>       ring-size: 300000
>       block-size: 32768
> 
> Strange things is that it should not do that on a plain eth. What is
> the MTU on the iface ?
> 
> Alternatively, you can also try to force capture to v2:
> 
>      tpacket-v3: no
> 
> BR,
> --
> Eric Leblond <eric at regit.org>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-
> ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
-- 
Eric Leblond <eric at regit.org>

More information about the Oisf-users mailing list