[Oisf-users] AF-packet mode not working

Sergio Romero SRomero at nexica.com
Tue Dec 20 08:48:36 UTC 2016 

Hello Everyone,



Upgrading to last 4.8 kernel do the trick and start OK, but still show the "System too old for tpacket v3 switching to v2"… what do this mean?



20/12/2016 -- 09:26:54 - <Info> - 37 rule files processed. 11803 rules successfully loaded, 0 rules failed

20/12/2016 -- 09:26:54 - <Info> - 11804 signatures processed. 1298 are IP-only rules, 4447 are inspecting packet payload, 7567 inspect application layer, 0 are decoder event only

20/12/2016 -- 09:26:56 - <Info> - Threshold config parsed: 0 rule(s) found

20/12/2016 -- 09:26:56 - <Info> - fast output device (regular) initialized: fast.log

20/12/2016 -- 09:26:56 - <Info> - eve-log output device (regular) initialized: eve.json

20/12/2016 -- 09:26:56 - <Info> - stats output device (regular) initialized: stats.log

20/12/2016 -- 09:26:56 - <Notice> - System too old for tpacket v3 switching to v2

20/12/2016 -- 09:26:56 - <Info> - Going to use 16 thread(s)

20/12/2016 -- 09:26:56 - <Notice> - System too old for tpacket v3 switching to v2

20/12/2016 -- 09:26:56 - <Info> - Going to use 16 thread(s)

20/12/2016 -- 09:26:57 - <Notice> - all 32 packet processing threads, 4 management threads initialized, engine started.

20/12/2016 -- 09:27:04 - <Info> - All AFP capture threads are running.



Regards,



Sergio



-----Mensaje original-----
De: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] En nombre de Sergio Romero
Enviado el: viernes, 16 de diciembre de 2016 11:06
Para: oisf-users at lists.openinfosecfoundation.org
Asunto: Re: [Oisf-users] AF-packet mode not working



Hi Eric!



Tried pf_ring but I believe that process less pkts than pcap, maybe I'm wrong.



We'll try to update to 4.8 then and get back to you if all work as expected.



Thanks for your help.



Sergio



-----Mensaje original-----

De: Eric Leblond [mailto:eric at regit.org] Enviado el: viernes, 16 de diciembre de 2016 10:00

Para: Sergio Romero <SRomero at nexica.net<mailto:SRomero at nexica.net>>; oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>

Asunto: Re: [Oisf-users] AF-packet mode not working



Hi,



On Fri, 2016-12-16 at 08:29 +0000, Sergio Romero wrote:

> Hello Eric,

>

> Tried with threads:auto and threads:8  with same results.

>

> Kernel it's a bit outdated 3.10.58-1.el6.elrepo.x86_64 from elrepo.



Wow, middle age is calling you.



> Do you think that updating the kernel to last release (kernel-lt-

> 3.10.104-1) or maybe upgrading to to ml one kernel-ml-4.8.13-1 or

> kernel-ml-4.9.0-1 ?



If you wanna keep 3.10 then use pcap or pfring capture method. If you can upgrade, then pick one of these two. Maybe 4.8.13 is a little bit more mature than the 4.9 so more change it is more stable.



BR,

--

Eric



>

> Regards,

>

> -----Mensaje original-----

> De: Eric Leblond [mailto:eric at regit.org] Enviado el: viernes, 16 de

> diciembre de 2016 9:08

> Para: Sergio Romero <SRomero at nexica.net<mailto:SRomero at nexica.net>>; oisf-users at lists.openinfose<mailto:oisf-users at lists.openinfose>

> cfoundation.org

> Asunto: Re: [Oisf-users] AF-packet mode not working

>

> Hi,

>

> On Fri, 2016-12-16 at 07:54 +0000, Sergio Romero wrote:

> > Hello everyone,

> >

> > Been trying to modify my setup with the new version, starting on

> > af-

> > packet mode but it's not working logging starting errors (already

> > tried the threads:1 solution for centos6 but with no change)

>

> Centos 6 should be able to run with multiple threads. What is the

> kernel version ?

>

> > , the mode that works almost good is pcap but with +-40 %

> > kernel_drops:

> >

> > Setup:

> > ·         Suricata 3.2

> > ·         Centos 6 x64

> > ·         Kernel 3.10

> > ·         2 x XeonE5-2470 0 @ 2.30GHz (8 Cores with HT) --- 32 total

> > · 96GB RAM ·         2 x Intel 82599ES 10-Gigabit cards ·

> > Sniffer-only

> >

> > AFpacket Config:

> >

> >   - interface: eth2

> >     threads: 1

> >     cluster-id: 98

> >     cluster-type: cluster_flow

> >     defrag: yes

> >     use-mmap: yes

> >     ring-size: 300000

> >

> >   - interface: eth3

> >     threads: 1

> >     cluster-id: 97

> >     cluster-type: cluster_flow

> >     defrag: yes

> >     use-mmap: yes

> >     ring-size: 300000

> >

> > Start errors:

> >

> > 14/12/2016 -- 17:12:42 - <Notice> - This is Suricata version 3.2

> > RELEASE

> > 14/12/2016 -- 17:12:42 - <Info> - CPUs/cores online: 32

> > 14/12/2016 -- 17:12:42 - <Info> - Use pid file /var/run/suricata.pid

> > from config file.

> > 14/12/2016 -- 17:12:45 - <Info> - 37 rule files processed. 11788

> > rules successfully loaded, 0 rules failed

> > 14/12/2016 -- 17:12:45 - <Info> - 11789 signatures processed. 1314

> > are IP-only rules, 4425 are inspecting packet payload, 7558 inspect

> > application layer, 0 are decoder event only

> > 14/12/2016 -- 17:12:53 - <Info> - Threshold config parsed: 0

> > rule(s)

> > found

> > 14/12/2016 -- 17:12:53 - <Info> - fast output device (regular)

> > initialized: fast.log

> > 14/12/2016 -- 17:12:53 - <Info> - eve-log output device (regular)

> > initialized: eve.json

> > 14/12/2016 -- 17:12:53 - <Info> - stats output device (regular)

> > initialized: stats.log

> > 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)

> > 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)

> > 14/12/2016 -- 17:12:55 - <Notice> - all 2 packet processing threads,

> > 4 management threads initialized, engine started.

> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:

> > SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size

> > 14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect.

> > Please correct the devel

> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:

> > SC_ERR_AFP_CREATE(190)]

> > - Couldn't init AF_PACKET socket, fatal error

> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:

> > SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size

>

>

> Update configuration to have a block-size variable and increase it

> till it works

>

>   - interface: eth2

>       threads: 1

>       cluster-id: 98

>       cluster-type: cluster_flow

>       defrag: yes

>       use-mmap: yes

>       ring-size: 300000

>       block-size: 32768

>

> Strange things is that it should not do that on a plain eth. What is

> the MTU on the iface ?

>

> Alternatively, you can also try to force capture to v2:

>

>      tpacket-v3: no

>

> BR,

> --

> Eric Leblond <eric at regit.org<mailto:eric at regit.org>>

> _______________________________________________

> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>

> Site: http://suricata-ids.org | Support: http://suricata-

> ids.org/support/

> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u

> sers

--

Eric Leblond <eric at regit.org<mailto:eric at regit.org>>

_______________________________________________

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>

Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/

List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161220/299cf2b9/attachment-0002.html>

More information about the Oisf-users mailing list