[Oisf-users] Can't start AF_PACKET in Workers mode?

Cloherty, Sean E scloherty at mitre.org
Mon Mar 28 20:21:57 UTC 2016


OK.  That's good to know. Thank you.

-----Original Message-----
From: Eric Leblond [mailto:eric at regit.org] 
Sent: Monday, March 28, 2016 16:15 PM
To: Cloherty, Sean E <scloherty at mitre.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Can't start AF_PACKET in Workers mode?

Hello,

On Mon, 2016-03-28 at 19:47 +0000, Cloherty, Sean E wrote:
> ( buried in an earlier email about a different topic . . . )
>  
> An odd behavior I am noticing is that despite setting the afpacket 
> mode to workers, both in the yaml file and on the command line, the 
> start messages always notes autofp mode.  Am I reading that correctly?  
> What could cause that?  I am running in IDS mode in case that is of 
> note.
>  
> When I start up - the last line is as below.
>  
> 24/3/2016 -- 13:32:30 - <Notice> - This is Suricata version 3.0 
> RELEASE
> 24/3/2016 -- 13:32:30 - <Info> - CPUs/cores online: 32
> 24/3/2016 -- 13:32:30 - <Info> - 'default' server has 'request-body- 
> minimal-inspect-size' set to 33882 and 'request-body-inspect-window'
> set to 4053 after randomization.
> 24/3/2016 -- 13:32:30 - <Info> - 'default' server has 'response-body- 
> minimal-inspect-size' set to 42119 and 'response-body-inspect-window'
> set to 16872 after randomization.
> 24/3/2016 -- 13:32:30 - <Info> - DNS request flood protection level:
> 500
> 24/3/2016 -- 13:32:30 - <Info> - DNS per flow memcap (state-memcap):
> 524288
> 24/3/2016 -- 13:32:30 - <Info> - DNS global memcap: 16777216
> 24/3/2016 -- 13:32:30 - <Info> - Protocol detection and parser 
> disabled for modbus protocol.
> 24/3/2016 -- 13:32:30 - <Info> - Found an MTU of 1500 for 'ens1f1'
> 24/3/2016 -- 13:32:30 - <Info> - allocated 3670016 bytes of memory for 
> the defrag hash... 65536 buckets of size 56
> 24/3/2016 -- 13:32:30 - <Info> - preallocated 65535 defrag trackers of 
> size 168
> 24/3/2016 -- 13:32:30 - <Info> - defrag memory usage: 14679896 bytes,
> maximum: 2147483648
> 24/3/2016 -- 13:32:30 - <Info> - AutoFP mode using default "Active 
> Packets" flow load balancer

This is one message always printed by the flow load balancer mechanism at init. Even if this one is not used. Don't worry about that. I will try to see if I can cook a fix removing it in the case we are running in workers mode.

++

>  
>  
> Sean Cloherty
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata- 
> ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
> Suricata User Conference November 9-11 in Washington, DC: http://oisf 
> events.net
--
Eric Leblond <eric at regit.org>





More information about the Oisf-users mailing list