[Oisf-users] Strange issue with Suricata 4.1.2 under FreeBSD 12

Carlos Lopez clopmz at outlook.com
Tue Jan 22 19:01:53 UTC 2019 

UHmm, thanks for the info Özkan … I have done a simple test: I have installed a FreeBSD 12 guest under RHEL’s KVM host configuring e1000 as a virtual nic. I have compiled Suricata from source with netmap’s support and it works out-of-the-box …

If I can, I will do some tests this week with Bro-IDS with netmap support and I will see how it goes …

Regards,
C. L. Martinez

From: Özkan KIRIK <ozkan.kirik at gmail.com>
Date: Tuesday, 22 January 2019 at 18:27
To: Carlos Lopez <clopmz at outlook.com>
Cc: oisf users <oisf-users at openinfosecfoundation.org>
Subject: Re: [Oisf-users] Strange issue with Suricata 4.1.2 under FreeBSD 12

Hello,

I have same issue with FreeBSD 12.0 RELEASE-p2.
I tried to use both ixl and igb NICs.
When I put netmap with ips mode, capture.kernel_drops is same with capture.kernel_packets.

22/1/2019 -- 08:58:40 - <Perf> - (W#01-igb3) Kernel: Packets 53, dropped 53, bytes
22/1/2019 -- 08:58:40 - <Perf> - (W#02-igb3) Kernel: Packets 0, dropped 0, bytes 0
22/1/2019 -- 08:58:40 - <Perf> - (W#03-igb3) Kernel: Packets 0, dropped 0, bytes 0
22/1/2019 -- 08:58:40 - <Perf> - (W#04-igb3) Kernel: Packets 0, dropped 0, bytes 0
22/1/2019 -- 08:58:40 - <Perf> - (W#05-igb3) Kernel: Packets 0, dropped 0, bytes 0
22/1/2019 -- 08:58:40 - <Perf> - (W#06-igb3) Kernel: Packets 0, dropped 0, bytes 0
22/1/2019 -- 08:58:40 - <Perf> - (W#07-igb3) Kernel: Packets 0, dropped 0, bytes 0
22/1/2019 -- 08:58:40 - <Perf> - (W#08-igb3) Kernel: Packets 0, dropped 0, bytes 0
22/1/2019 -- 08:58:40 - <Perf> - (W#01-igb3+) Kernel: Packets 0, dropped 0, bytes 0
22/1/2019 -- 08:58:41 - <Info> - Alerts: 0
22/1/2019 -- 08:58:41 - <Perf> - ippair memory usage: 382144 bytes, maximum: 167772
22/1/2019 -- 08:58:42 - <Perf> - host memory usage: 36614400 bytes, maximum: 134217
22/1/2019 -- 08:58:42 - <Info> - cleaning up signature grouping structure... comple
22/1/2019 -- 08:58:42 - <Notice> - Stats for 'igb3':  pkts: 53, drop: 53 (100.00%),
22/1/2019 -- 08:58:42 - <Perf> - igb3: restoring tso offloading
22/1/2019 -- 08:58:42 - <Perf> - igb3: restoring lro offloading
22/1/2019 -- 08:58:42 - <Notice> - Stats for 'igb3+':  pkts: 0, drop: 0 (nan%), inv
22/1/2019 -- 08:58:42 - <Perf> - Cleaning up Hyperscan global scratch
22/1/2019 -- 08:58:42 - <Perf> - Clearing Hyperscan database cache

I think problem is same

On Tue, Jan 22, 2019 at 7:05 PM Carlos Lopez <clopmz at outlook.com<mailto:clopmz at outlook.com>> wrote:
More info about this, changing packet capture from netmap to pcap, all works ok. In theory, my ixgbe driver is supported for netmap:

[1] 000.000024 [4184] netmap_init               netmap: loaded module
[1] ix0: netmap queues/slots: TX 8/2048, RX 8/2048
[1] ix1: netmap queues/slots: TX 8/2048, RX 8/2048
[1] ix2: netmap queues/slots: TX 8/2048, RX 8/2048
[1] ix3: netmap queues/slots: TX 8/2048, RX 8/2048

Any idea?

Regards,
C. L. Martinez


________________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org>> on behalf of Carlos Lopez <clopmz at outlook.com<mailto:clopmz at outlook.com>>
Sent: 21 January 2019 14:37
To: oisf users
Subject: [Oisf-users] Strange issue with Suricata 4.1.2 under FreeBSD 12

Hi all,

 I have a strange issue with Suricata 4.1.2 under FreeBSD: suricata doesn't see traffic. Traffic is vlan's tagged. Using tcpdump with the options "-ttt -env -i ix1", I can see the traffic without problems.

The option of net.bpf.zerocopy_enable=0 and I'm using netmap. Any idea why I can't see the traffic? I am completely lost..



Regards,
C. L. Martinez
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190122/b896b32f/attachment-0001.html>

More information about the Oisf-users mailing list