[Oisf-users] Issue using several interfaces with suricata 4.0.4

Davide Setti d.setti at certego.net
Tue Aug 21 13:56:29 UTC 2018

Hi Gaetan,

are you passing interfaces via command line or via config file?

Cause if you use a config file it should be pretty easier to setup multiple
interfaces. I suppose you are using AF_PACKET, you just have to keep in
mind to use different "cluster-id" for each interfaces:

  - interface: eth0
    cluster-id: 100
  - interface: eth1
    cluster-id: 101
  - interface: ethN
    cluster-id: 102

Then you should run:
suricata --af-packet -c <path-to-config>


2018-08-21 15:30 GMT+02:00 Piquenot, Gaetan <gaetan.piquenot at airbus.com>:

> Hello,
> I’m trying to make suricata sniffing onto 4 ifaces, but when I put several
> –i <IFACE NAME> into /etc/sysconfig/suricata (CentOS), I can’t run suricata
> and get following errors:
> 21/8/2018 -- 14:09:03 - <Warning> - [ERRCODE: SC_WARN_PCAP_MULTI_DEV_EXPERIMENTAL(177)]
> - using multiple devices to get packets is experimental.
> {"timestamp":"2018-08-21T14:09:03.228795+0200","event_
> type":"engine","engine":{"message":"This is Suricata version 4.0.4
> {"timestamp":"2018-08-21T14:09:03.393105+0200","event_
> type":"engine","engine":{"message":"all 12 packet processing threads, 4
> management threads initialized, engine started."}}
> {"timestamp":"2018-08-21T14:09:03.449420+0200","event_
> type":"engine","engine":{"error_code":190,"error":"SC_
> ERR_AFP_CREATE","message":"Couldn't set fanout mode, error Invalid
> argument"}}
> {"timestamp":"2018-08-21T14:09:03.455418+0200","event_
> type":"engine","engine":{"error_code":190,"error":"SC_
> ERR_AFP_CREATE","message":"Couldn't init AF_PACKET socket, fatal error"}}
> {"timestamp":"2018-08-21T14:09:03.463594+0200","event_
> type":"engine","engine":{"error_code":171,"error":"SC_ERR_FATAL","message":"thread
> RX#01-ens225 failed"}}
> I saw this old link https://lists.openinfosecfoundation.org/
> pipermail/oisf-users/2015-November/005412.html but my ifaces are
> configured  and if I use them one by one it’s working.
> Cordialement.

Davide Setti
R&D and Incident Response Team, Certego
<http://www.linkedin.com/company/certego>  <http://twitter.com/Certego_IRT>
<http://github.com/certego>  <http://www.youtube.com/CERTEGOsrl>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180821/d79aa096/attachment.html>

More information about the Oisf-users mailing list