[Oisf-users] Issue using several interfaces with suricata 4.0.4

Piquenot, Gaetan gaetan.piquenot at airbus.com
Tue Aug 21 14:17:58 UTC 2018

Thank you it worked.

I had to combine both solutions to make it working, so my sysconfig file(this file is called into the systemd unit file) is:
OPTIONS=”-i <IFACE1> … -i <IFACEN> --user suricata”

And my suricata.yaml is like you wrote it.


Gaëtan Piquenot

From: Davide Setti [mailto:d.setti at certego.net]
Sent: Tuesday, August 21, 2018 3:56 PM
To: Piquenot, Gaetan
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Issue using several interfaces with suricata 4.0.4

Hi Gaetan,

are you passing interfaces via command line or via config file?

Cause if you use a config file it should be pretty easier to setup multiple interfaces. I suppose you are using AF_PACKET, you just have to keep in mind to use different "cluster-id" for each interfaces:

  - interface: eth0
    cluster-id: 100
  - interface: eth1
    cluster-id: 101
  - interface: ethN
    cluster-id: 102

Then you should run:
suricata --af-packet -c <path-to-config>


2018-08-21 15:30 GMT+02:00 Piquenot, Gaetan <gaetan.piquenot at airbus.com<mailto:gaetan.piquenot at airbus.com>>:

I’m trying to make suricata sniffing onto 4 ifaces, but when I put several –i <IFACE NAME> into /etc/sysconfig/suricata (CentOS), I can’t run suricata and get following errors:

21/8/2018 -- 14:09:03 - <Warning> - [ERRCODE: SC_WARN_PCAP_MULTI_DEV_EXPERIMENTAL(177)] - using multiple devices to get packets is experimental.
{"timestamp":"2018-08-21T14:09:03.228795+0200","event_type":"engine","engine":{"message":"This is Suricata version 4.0.4 RELEASE"}}
{"timestamp":"2018-08-21T14:09:03.393105+0200","event_type":"engine","engine":{"message":"all 12 packet processing threads, 4 management threads initialized, engine started."}}
{"timestamp":"2018-08-21T14:09:03.449420+0200","event_type":"engine","engine":{"error_code":190,"error":"SC_ERR_AFP_CREATE","message":"Couldn't set fanout mode, error Invalid argument"}}
{"timestamp":"2018-08-21T14:09:03.455418+0200","event_type":"engine","engine":{"error_code":190,"error":"SC_ERR_AFP_CREATE","message":"Couldn't init AF_PACKET socket, fatal error"}}
{"timestamp":"2018-08-21T14:09:03.463594+0200","event_type":"engine","engine":{"error_code":171,"error":"SC_ERR_FATAL","message":"thread RX#01-ens225 failed"}}

I saw this old link https://lists.openinfosecfoundation.org/pipermail/oisf-users/2015-November/005412.html but my ifaces are configured  and if I use them one by one it’s working.



Davide Setti
R&D and Incident Response Team, Certego
[http://www.certego.net/email/linkedin.png]<http://www.linkedin.com/company/certego> [http://www.certego.net/email/twitter.png] <http://twitter.com/Certego_IRT>  [http://www.certego.net/email/github.png] <http://github.com/certego>  [http://www.certego.net/email/youtube.png] <http://www.youtube.com/CERTEGOsrl>  [http://www.certego.net/email/googleplus.png] <http://plus.google.com/117641917176532015312>

Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180821/1d730880/attachment-0001.html>

More information about the Oisf-users mailing list