[Oisf-users] AF-packet mode not working

Sergio Romero SRomero at nexica.com
Fri Dec 16 10:03:42 UTC 2016 

Hello Peter,

Tried also changing block size and ring size without making it work.

Thanks anyway for your help!

Regards.

-----Mensaje original-----
De: Peter Manev [mailto:petermanev at gmail.com] 
Enviado el: viernes, 16 de diciembre de 2016 10:00
Para: Sergio Romero <SRomero at nexica.net>
CC: oisf-users at lists.openinfosecfoundation.org
Asunto: Re: [Oisf-users] AF-packet mode not working

On Fri, Dec 16, 2016 at 9:29 AM, Sergio Romero <SRomero at nexica.com> wrote:
> Hello Eric,
>
> Tried with threads:auto and threads:8  with same results.
>
> Kernel it's a bit outdated 3.10.58-1.el6.elrepo.x86_64 from elrepo.

apologies for jumping in -  just so we dont miss it - did you adjust the block-size -
https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L557
as Eric suggested. (try for example 524288)

Thanks

>
> Do you think that updating the kernel to last release (kernel-lt-3.10.104-1) or maybe upgrading to to ml one kernel-ml-4.8.13-1 or kernel-ml-4.9.0-1 ?
>
> Regards,
>
> -----Mensaje original-----
> De: Eric Leblond [mailto:eric at regit.org] Enviado el: viernes, 16 de 
> diciembre de 2016 9:08
> Para: Sergio Romero <SRomero at nexica.net>; 
> oisf-users at lists.openinfosecfoundation.org
> Asunto: Re: [Oisf-users] AF-packet mode not working
>
> Hi,
>
> On Fri, 2016-12-16 at 07:54 +0000, Sergio Romero wrote:
>> Hello everyone,
>>
>> Been trying to modify my setup with the new version, starting on af- 
>> packet mode but it's not working logging starting errors (already 
>> tried the threads:1 solution for centos6 but with no change)
>
> Centos 6 should be able to run with multiple threads. What is the kernel version ?
>
>> , the mode that works almost good is pcap but with +-40 %
>> kernel_drops:
>>
>> Setup:
>> ·         Suricata 3.2
>> ·         Centos 6 x64
>> ·         Kernel 3.10
>> ·         2 x XeonE5-2470 0 @ 2.30GHz (8 Cores with HT) --- 32 total ·
>> 96GB RAM ·         2 x Intel 82599ES 10-Gigabit cards ·
>> Sniffer-only
>>
>> AFpacket Config:
>>
>>   - interface: eth2
>>     threads: 1
>>     cluster-id: 98
>>     cluster-type: cluster_flow
>>     defrag: yes
>>     use-mmap: yes
>>     ring-size: 300000
>>
>>   - interface: eth3
>>     threads: 1
>>     cluster-id: 97
>>     cluster-type: cluster_flow
>>     defrag: yes
>>     use-mmap: yes
>>     ring-size: 300000
>>
>> Start errors:
>>
>> 14/12/2016 -- 17:12:42 - <Notice> - This is Suricata version 3.2 
>> RELEASE
>> 14/12/2016 -- 17:12:42 - <Info> - CPUs/cores online: 32
>> 14/12/2016 -- 17:12:42 - <Info> - Use pid file /var/run/suricata.pid 
>> from config file.
>> 14/12/2016 -- 17:12:45 - <Info> - 37 rule files processed. 11788 
>> rules successfully loaded, 0 rules failed
>> 14/12/2016 -- 17:12:45 - <Info> - 11789 signatures processed. 1314 
>> are IP-only rules, 4425 are inspecting packet payload, 7558 inspect 
>> application layer, 0 are decoder event only
>> 14/12/2016 -- 17:12:53 - <Info> - Threshold config parsed: 0 rule(s) 
>> found
>> 14/12/2016 -- 17:12:53 - <Info> - fast output device (regular)
>> initialized: fast.log
>> 14/12/2016 -- 17:12:53 - <Info> - eve-log output device (regular)
>> initialized: eve.json
>> 14/12/2016 -- 17:12:53 - <Info> - stats output device (regular)
>> initialized: stats.log
>> 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
>> 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
>> 14/12/2016 -- 17:12:55 - <Notice> - all 2 packet processing threads,
>> 4 management threads initialized, engine started.
>> 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
>> SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
>> 14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect.
>> Please correct the devel
>> 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)]
>> - Couldn't init AF_PACKET socket, fatal error
>> 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
>> SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
>
>
> Update configuration to have a block-size variable and increase it 
> till it works
>
>   - interface: eth2
>       threads: 1
>       cluster-id: 98
>       cluster-type: cluster_flow
>       defrag: yes
>       use-mmap: yes
>       ring-size: 300000
>       block-size: 32768
>
> Strange things is that it should not do that on a plain eth. What is the MTU on the iface ?
>
> Alternatively, you can also try to force capture to v2:
>
>      tpacket-v3: no
>
> BR,
> --
> Eric Leblond <eric at regit.org>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



--
Regards,
Peter Manev

More information about the Oisf-users mailing list