[Oisf-users] AF-packet mode not working

Sergio Romero SRomero at nexica.com
Fri Dec 16 10:05:42 UTC 2016 

Hi Eric!

Tried pf_ring but I believe that process less pkts than pcap, maybe I'm wrong.

We'll try to update to 4.8 then and get back to you if all work as expected.

Thanks for your help.

Sergio

-----Mensaje original-----
De: Eric Leblond [mailto:eric at regit.org] 
Enviado el: viernes, 16 de diciembre de 2016 10:00
Para: Sergio Romero <SRomero at nexica.net>; oisf-users at lists.openinfosecfoundation.org
Asunto: Re: [Oisf-users] AF-packet mode not working

Hi,

On Fri, 2016-12-16 at 08:29 +0000, Sergio Romero wrote:
> Hello Eric,
> 
> Tried with threads:auto and threads:8  with same results.
> 
> Kernel it's a bit outdated 3.10.58-1.el6.elrepo.x86_64 from elrepo.

Wow, middle age is calling you.

> Do you think that updating the kernel to last release (kernel-lt-
> 3.10.104-1) or maybe upgrading to to ml one kernel-ml-4.8.13-1 or
> kernel-ml-4.9.0-1 ?

If you wanna keep 3.10 then use pcap or pfring capture method. If you can upgrade, then pick one of these two. Maybe 4.8.13 is a little bit more mature than the 4.9 so more change it is more stable.

BR,
--
Eric

> 
> Regards,
> 
> -----Mensaje original-----
> De: Eric Leblond [mailto:eric at regit.org] Enviado el: viernes, 16 de 
> diciembre de 2016 9:08
> Para: Sergio Romero <SRomero at nexica.net>; oisf-users at lists.openinfose 
> cfoundation.org
> Asunto: Re: [Oisf-users] AF-packet mode not working
> 
> Hi,
> 
> On Fri, 2016-12-16 at 07:54 +0000, Sergio Romero wrote:
> > Hello everyone,
> >  
> > Been trying to modify my setup with the new version, starting on
> > af-
> > packet mode but it's not working logging starting errors (already 
> > tried the threads:1 solution for centos6 but with no change)
> 
> Centos 6 should be able to run with multiple threads. What is the 
> kernel version ?
> 
> > , the mode that works almost good is pcap but with +-40 %
> > kernel_drops:
> >  
> > Setup:
> > ·         Suricata 3.2
> > ·         Centos 6 x64
> > ·         Kernel 3.10
> > ·         2 x XeonE5-2470 0 @ 2.30GHz (8 Cores with HT) --- 32 total 
> > · 96GB RAM ·         2 x Intel 82599ES 10-Gigabit cards · 
> > Sniffer-only
> >  
> > AFpacket Config:
> >  
> >   - interface: eth2
> >     threads: 1
> >     cluster-id: 98
> >     cluster-type: cluster_flow
> >     defrag: yes
> >     use-mmap: yes
> >     ring-size: 300000
> >  
> >   - interface: eth3
> >     threads: 1
> >     cluster-id: 97
> >     cluster-type: cluster_flow
> >     defrag: yes
> >     use-mmap: yes
> >     ring-size: 300000
> >  
> > Start errors:
> >  
> > 14/12/2016 -- 17:12:42 - <Notice> - This is Suricata version 3.2 
> > RELEASE
> > 14/12/2016 -- 17:12:42 - <Info> - CPUs/cores online: 32
> > 14/12/2016 -- 17:12:42 - <Info> - Use pid file /var/run/suricata.pid 
> > from config file.
> > 14/12/2016 -- 17:12:45 - <Info> - 37 rule files processed. 11788 
> > rules successfully loaded, 0 rules failed
> > 14/12/2016 -- 17:12:45 - <Info> - 11789 signatures processed. 1314 
> > are IP-only rules, 4425 are inspecting packet payload, 7558 inspect 
> > application layer, 0 are decoder event only
> > 14/12/2016 -- 17:12:53 - <Info> - Threshold config parsed: 0
> > rule(s)
> > found
> > 14/12/2016 -- 17:12:53 - <Info> - fast output device (regular)
> > initialized: fast.log
> > 14/12/2016 -- 17:12:53 - <Info> - eve-log output device (regular)
> > initialized: eve.json
> > 14/12/2016 -- 17:12:53 - <Info> - stats output device (regular)
> > initialized: stats.log
> > 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
> > 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
> > 14/12/2016 -- 17:12:55 - <Notice> - all 2 packet processing threads,
> > 4 management threads initialized, engine started.
> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
> > SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
> > 14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect.
> > Please correct the devel
> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
> > SC_ERR_AFP_CREATE(190)]
> > - Couldn't init AF_PACKET socket, fatal error
> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
> > SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
> 
> 
> Update configuration to have a block-size variable and increase it 
> till it works
> 
>   - interface: eth2
>       threads: 1
>       cluster-id: 98
>       cluster-type: cluster_flow
>       defrag: yes
>       use-mmap: yes
>       ring-size: 300000
>       block-size: 32768
> 
> Strange things is that it should not do that on a plain eth. What is 
> the MTU on the iface ?
> 
> Alternatively, you can also try to force capture to v2:
> 
>      tpacket-v3: no
> 
> BR,
> --
> Eric Leblond <eric at regit.org>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata- 
> ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
--
Eric Leblond <eric at regit.org>

More information about the Oisf-users mailing list