[Oisf-users] Issue using several interfaces with suricata 4.0.4

Piquenot, Gaetan gaetan.piquenot at airbus.com
Tue Aug 21 13:30:51 UTC 2018


I'm trying to make suricata sniffing onto 4 ifaces, but when I put several -i <IFACE NAME> into /etc/sysconfig/suricata (CentOS), I can't run suricata and get following errors:

21/8/2018 -- 14:09:03 - <Warning> - [ERRCODE: SC_WARN_PCAP_MULTI_DEV_EXPERIMENTAL(177)] - using multiple devices to get packets is experimental.
{"timestamp":"2018-08-21T14:09:03.228795+0200","event_type":"engine","engine":{"message":"This is Suricata version 4.0.4 RELEASE"}}
{"timestamp":"2018-08-21T14:09:03.393105+0200","event_type":"engine","engine":{"message":"all 12 packet processing threads, 4 management threads initialized, engine started."}}
{"timestamp":"2018-08-21T14:09:03.449420+0200","event_type":"engine","engine":{"error_code":190,"error":"SC_ERR_AFP_CREATE","message":"Couldn't set fanout mode, error Invalid argument"}}
{"timestamp":"2018-08-21T14:09:03.455418+0200","event_type":"engine","engine":{"error_code":190,"error":"SC_ERR_AFP_CREATE","message":"Couldn't init AF_PACKET socket, fatal error"}}
{"timestamp":"2018-08-21T14:09:03.463594+0200","event_type":"engine","engine":{"error_code":171,"error":"SC_ERR_FATAL","message":"thread RX#01-ens225 failed"}}

I saw this old link https://lists.openinfosecfoundation.org/pipermail/oisf-users/2015-November/005412.html but my ifaces are configured  and if I use them one by one it's working.


Gaëtan Piquenot
Ingénieur SSI
Airbus CyberSecurity

T +33 (0)1 61 38 50 57
E gaetan.piquenot at airbus.com<mailto:gaetan.piquenot at airbus.com>

Airbus CyberSecurity
1 Boulevard Jean Moulin, CS 40001
78996 Elancourt Cedex

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180821/a5fe31bb/attachment.html>

More information about the Oisf-users mailing list