[Oisf-users] AF-packet mode not working

Peter Manev petermanev at gmail.com
Tue Dec 20 16:44:56 UTC 2016


On Tue, Dec 20, 2016 at 9:48 AM, Sergio Romero <SRomero at nexica.com> wrote:
> Hello Everyone,
>
>
>
> Upgrading to last 4.8 kernel do the trick and start OK, but still show the
> "System too old for tpacket v3 switching to v2"… what do this mean?
>
>
>
> 20/12/2016 -- 09:26:54 - <Info> - 37 rule files processed. 11803 rules
> successfully loaded, 0 rules failed
>
> 20/12/2016 -- 09:26:54 - <Info> - 11804 signatures processed. 1298 are
> IP-only rules, 4447 are inspecting packet payload, 7567 inspect application
> layer, 0 are decoder event only
>
> 20/12/2016 -- 09:26:56 - <Info> - Threshold config parsed: 0 rule(s) found
>
> 20/12/2016 -- 09:26:56 - <Info> - fast output device (regular) initialized:
> fast.log
>
> 20/12/2016 -- 09:26:56 - <Info> - eve-log output device (regular)
> initialized: eve.json
>
> 20/12/2016 -- 09:26:56 - <Info> - stats output device (regular) initialized:
> stats.log
>
> 20/12/2016 -- 09:26:56 - <Notice> - System too old for tpacket v3 switching
> to v2

Can you please post a bug report?

If it is possible  - could share your yaml config as well -  mask out
the nets - no problem.

>
> 20/12/2016 -- 09:26:56 - <Info> - Going to use 16 thread(s)
>
> 20/12/2016 -- 09:26:56 - <Notice> - System too old for tpacket v3 switching
> to v2
>
> 20/12/2016 -- 09:26:56 - <Info> - Going to use 16 thread(s)
>
> 20/12/2016 -- 09:26:57 - <Notice> - all 32 packet processing threads, 4
> management threads initialized, engine started.
>
> 20/12/2016 -- 09:27:04 - <Info> - All AFP capture threads are running.
>
>
>
> Regards,
>
>
>
> Sergio
>
>
>
> -----Mensaje original-----
> De: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org]
> En nombre de Sergio Romero
> Enviado el: viernes, 16 de diciembre de 2016 11:06
> Para: oisf-users at lists.openinfosecfoundation.org
>
>
> Asunto: Re: [Oisf-users] AF-packet mode not working
>
>
>
> Hi Eric!
>
>
>
> Tried pf_ring but I believe that process less pkts than pcap, maybe I'm
> wrong.
>
>
>
> We'll try to update to 4.8 then and get back to you if all work as expected.
>
>
>
> Thanks for your help.
>
>
>
> Sergio
>
>
>
> -----Mensaje original-----
>
> De: Eric Leblond [mailto:eric at regit.org] Enviado el: viernes, 16 de
> diciembre de 2016 10:00
>
> Para: Sergio Romero <SRomero at nexica.net>;
> oisf-users at lists.openinfosecfoundation.org
>
> Asunto: Re: [Oisf-users] AF-packet mode not working
>
>
>
> Hi,
>
>
>
> On Fri, 2016-12-16 at 08:29 +0000, Sergio Romero wrote:
>
>> Hello Eric,
>
>>
>
>> Tried with threads:auto and threads:8  with same results.
>
>>
>
>> Kernel it's a bit outdated 3.10.58-1.el6.elrepo.x86_64 from elrepo.
>
>
>
> Wow, middle age is calling you.
>
>
>
>> Do you think that updating the kernel to last release (kernel-lt-
>
>> 3.10.104-1) or maybe upgrading to to ml one kernel-ml-4.8.13-1 or
>
>> kernel-ml-4.9.0-1 ?
>
>
>
> If you wanna keep 3.10 then use pcap or pfring capture method. If you can
> upgrade, then pick one of these two. Maybe 4.8.13 is a little bit more
> mature than the 4.9 so more change it is more stable.
>
>
>
> BR,
>
> --
>
> Eric
>
>
>
>>
>
>> Regards,
>
>>
>
>> -----Mensaje original-----
>
>> De: Eric Leblond [mailto:eric at regit.org] Enviado el: viernes, 16 de
>
>> diciembre de 2016 9:08
>
>> Para: Sergio Romero <SRomero at nexica.net>; oisf-users at lists.openinfose
>
>> cfoundation.org
>
>> Asunto: Re: [Oisf-users] AF-packet mode not working
>
>>
>
>> Hi,
>
>>
>
>> On Fri, 2016-12-16 at 07:54 +0000, Sergio Romero wrote:
>
>> > Hello everyone,
>
>> >
>
>> > Been trying to modify my setup with the new version, starting on
>
>> > af-
>
>> > packet mode but it's not working logging starting errors (already
>
>> > tried the threads:1 solution for centos6 but with no change)
>
>>
>
>> Centos 6 should be able to run with multiple threads. What is the
>
>> kernel version ?
>
>>
>
>> > , the mode that works almost good is pcap but with +-40 %
>
>> > kernel_drops:
>
>> >
>
>> > Setup:
>
>> > ·         Suricata 3.2
>
>> > ·         Centos 6 x64
>
>> > ·         Kernel 3.10
>
>> > ·         2 x XeonE5-2470 0 @ 2.30GHz (8 Cores with HT) --- 32 total
>
>> > · 96GB RAM ·         2 x Intel 82599ES 10-Gigabit cards ·
>
>> > Sniffer-only
>
>> >
>
>> > AFpacket Config:
>
>> >
>
>> >   - interface: eth2
>
>> >     threads: 1
>
>> >     cluster-id: 98
>
>> >     cluster-type: cluster_flow
>
>> >     defrag: yes
>
>> >     use-mmap: yes
>
>> >     ring-size: 300000
>
>> >
>
>> >   - interface: eth3
>
>> >     threads: 1
>
>> >     cluster-id: 97
>
>> >     cluster-type: cluster_flow
>
>> >     defrag: yes
>
>> >     use-mmap: yes
>
>> >     ring-size: 300000
>
>> >
>
>> > Start errors:
>
>> >
>
>> > 14/12/2016 -- 17:12:42 - <Notice> - This is Suricata version 3.2
>
>> > RELEASE
>
>> > 14/12/2016 -- 17:12:42 - <Info> - CPUs/cores online: 32
>
>> > 14/12/2016 -- 17:12:42 - <Info> - Use pid file /var/run/suricata.pid
>
>> > from config file.
>
>> > 14/12/2016 -- 17:12:45 - <Info> - 37 rule files processed. 11788
>
>> > rules successfully loaded, 0 rules failed
>
>> > 14/12/2016 -- 17:12:45 - <Info> - 11789 signatures processed. 1314
>
>> > are IP-only rules, 4425 are inspecting packet payload, 7558 inspect
>
>> > application layer, 0 are decoder event only
>
>> > 14/12/2016 -- 17:12:53 - <Info> - Threshold config parsed: 0
>
>> > rule(s)
>
>> > found
>
>> > 14/12/2016 -- 17:12:53 - <Info> - fast output device (regular)
>
>> > initialized: fast.log
>
>> > 14/12/2016 -- 17:12:53 - <Info> - eve-log output device (regular)
>
>> > initialized: eve.json
>
>> > 14/12/2016 -- 17:12:53 - <Info> - stats output device (regular)
>
>> > initialized: stats.log
>
>> > 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
>
>> > 14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)
>
>> > 14/12/2016 -- 17:12:55 - <Notice> - all 2 packet processing threads,
>
>> > 4 management threads initialized, engine started.
>
>> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
>
>> > SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
>
>> > 14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect.
>
>> > Please correct the devel
>
>> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
>
>> > SC_ERR_AFP_CREATE(190)]
>
>> > - Couldn't init AF_PACKET socket, fatal error
>
>> > 14/12/2016 -- 17:12:55 - <Error> - [ERRCODE:
>
>> > SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
>
>>
>
>>
>
>> Update configuration to have a block-size variable and increase it
>
>> till it works
>
>>
>
>>   - interface: eth2
>
>>       threads: 1
>
>>       cluster-id: 98
>
>>       cluster-type: cluster_flow
>
>>       defrag: yes
>
>>       use-mmap: yes
>
>>       ring-size: 300000
>
>>       block-size: 32768
>
>>
>
>> Strange things is that it should not do that on a plain eth. What is
>
>> the MTU on the iface ?
>
>>
>
>> Alternatively, you can also try to force capture to v2:
>
>>
>
>>      tpacket-v3: no
>
>>
>
>> BR,
>
>> --
>
>> Eric Leblond <eric at regit.org>
>
>> _______________________________________________
>
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>
>> Site: http://suricata-ids.org | Support: http://suricata-
>
>> ids.org/support/
>
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
>
>> sers
>
> --
>
> Eric Leblond <eric at regit.org>
>
> _______________________________________________
>
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list