[Oisf-users] problem with af-packet in 3.1.2

Cooper F. Nelson cnelson at ucsd.edu
Tue Sep 27 20:40:49 UTC 2016

Try using at least a 4.7 kernel and force tpacket-v2 in the af-packet

tpacket-v2: yes


On 9/27/2016 1:36 PM, Michael Stone wrote:
> I generally use af-packet in my suricata deployments, but on some
> machines with i210 interfaces running 3.1.2 that configuration causes
> suricata to spin all cpus at 100%, while dropping most of the traffic. 
> (The stats file lists capture.kernel_packets, doesn't list drops, but
> the shutdown message says that almost all the packets were dropped.) If
> I use the same configuration but substitute a USB ethernet adapter,
> everything behaves as expected. If I use the i210 interface but switch
> from af-packet to pcap, everything behaves as expected. If I downgrade
> to a 3.0 version of suricata, everything works with af-packet. No
> earlier release of 3.1.x works with af-packet. I've tried 3.16 and 4.6
> kernels with no difference in the results. In practical terms there's no
> reason not to run pcap mode in this particular configuration, but it
> would be nice to know what af-packet is behaving so badly.
> Mike Stone
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160927/0da9235e/attachment-0002.sig>

More information about the Oisf-users mailing list