[Oisf-users] AF_PACKET: fanout not supported on this system, falling back to 1 capture thread
ltow at centrum.cz
ltow at centrum.cz
Wed Oct 5 10:19:06 UTC 2016
Hello,
it seems not to be on compile flag issue, Suricata was properly builded with AF_PACKET support:
root at mirach:~# suricata --build-info
This is Suricata version 3.1.2 RELEASE
Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.9.2, C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.22, linked against LibHTP v0.5.22
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
NFLOG support: yes
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
Prelude support: yes
PCRE jit: no, libpcre 8.35 blacklisted
LUA support: yes, through luajit
libluajit: yes
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Hyperscan support: no
Libnet support: yes
Suricatasc install: yes
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
As seen here: https://fossies.org/diffs/suricata/3.1_vs_3.1.1/src/runmode-af-packet.c-diff.html
and here: https://doxygen.openinfosecfoundation.org/source-af-packet_8c_source.html#l01812
runtime check for AF_PACKET fanout was implemented in Suricata 3.1.1
runmode-af-packet.c
/* if the number of threads is not 1, we need to first check if fanout
* functions on this system. */
if (aconf->threads != 1) {
if (AFPIsFanoutSupported() == 0) {
if (aconf->threads != 0) {
SCLogNotice("fanout not supported on this system, falling "
"back to 1 capture thread");
}
aconf->threads = 1;
}
}
/* try to automagically set the proper number of threads */
source-af-packet.c:
/** \brief test if we can use FANOUT. Older kernels like those in
* CentOS6 have HAVE_PACKET_FANOUT defined but fail to work
*/
int AFPIsFanoutSupported(void)
{
#ifdef HAVE_PACKET_FANOUT
int fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (fd != -1) {
uint16_t mode = PACKET_FANOUT_HASH | PACKET_FANOUT_FLAG_DEFRAG;
uint16_t id = 99;
uint32_t option = (mode << 16) | (id & 0xffff);
int r = setsockopt(fd, SOL_PACKET, PACKET_FANOUT,(void *)&option, sizeof(option));
close(fd);
if (r < 0) {
SCLogPerf("fanout not supported by kernel: %s", strerror(errno));
return 0;
}
return 1;
}
#endif
return 0;
}
And this check if failing on kernel 3.16 compiled with AF_PACKET support (or at least on stock Debian Jessie kernel):
root at mirach:~# grep -x 'CONFIG_PACKET=[ym]' "/boot/config-$(uname -r)"
CONFIG_PACKET=y
As it is failing without any additional message, I suppose this condition is evaluated as false:
int fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (fd != -1) {
Could you please confirm, that somebody using Suricata > 3.1.1 on Debian Jessie stock kernel?
Is any developers here or should I copy this to devel mailinglist? :-)
Kind regards
Litin
______________________________________________________________
> Od: Eric Leblond <eric at regit.org>
> Komu: Victor Julien <lists at inliniac.net>,
> Datum: 05.10.2016 08:34
> Předmět: Re: [Oisf-users] AF_PACKET: fanout not supported on this system,
>
>Hi,
>
>On mer., 2016-10-05 at 08:15 +0200, Victor Julien wrote:
>> On 05-10-16 01:04, ltow at centrum.cz wrote:
>> >
>> > using stop Debian Jessie kernel:
>> >
>> > root at mirach:~# uname -a
>> > Linux mirach 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-
>> > 09-03) x86_64 GNU/Linux
>> >
>> > and jessie-backport Suricata package:
>> >
>> > root at mirach:~# suricata -V
>> > This is Suricata version 3.1.2 RELEASE
>> >
>> > I am not able to use AF_PACKET fanout, as check for fanout is
>> > failing and only one detect thread is started instead:
>> >
>> > root at mirach:~# suricata -c /etc/suricata/suricata.yaml --af-
>> > packet=eth2 --runmode workers -vvvvv
>> > ......
>> > 5/10/2016 -- 00:47:59 - <Info> - Unified2-alert initialized:
>> > filename unified2.alert, limit 32 MB
>> > 5/10/2016 -- 00:47:59 - <Info> - stats output device (regular)
>> > initialized: stats.log
>> > 5/10/2016 -- 00:47:59 - <Notice> - fanout not supported on this
>> > system, falling back to 1 capture thread
>>
>> It looks like this was checked during compilation of the packet ports
>> package. Jessie should support fanout though, so not sure why it
>> doesn't
>> work. Maybe it's something weird in the package building process.
>
>I agree. We are building at Stamus Networks on debian Jessie and it is
>working correctly.
>
>The configure script is checking for a define in "linux/if_packet.h"
>that is coming by default from linux-libc-dev (file in that case
>is /usr/include/linux/if_packet.h).
>
>Could it be possible the package is outdated or another file in
>included ?
>
>++
>--
>Eric Leblond <eric at regit.org>
>Blog: https://home.regit.org/
>_______________________________________________
>Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>
>
More information about the Oisf-users
mailing list