[Oisf-users] Suricata fails to start (Suricata 4.1.4)

Shivani Bhardwaj shivanib134 at gmail.com
Wed Jun 5 05:20:38 UTC 2019

Hi David!

On Tue, Jun 4, 2019 at 10:55 PM David Decker <x.faith at gmail.com> wrote:
> Shivani
> This what we are trying:
> suricata  -c suricata.yaml --PCAP=default
--pcap requires the interface on which you want to enable libpcap
capture support. From what I understand, "default" is not something
recognized as a valid interface. You should probably check your
interface name where you want to enable the pcap mode and provide that
in place of "default". Example, my wifi interface is named "wlp2s0" so
if I write "suricata --pcap=wlp2s0", it would make a valid command and
would run suricata in pcap mode on wlp2s0 interface.

If you want this interface for pcap to persist, you could even write
this in your suricata.yaml here:
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L703 and
then fire the command "suricata --pcap", it will pick up the interface
from the configuration file and run perfectly fine.

Let me know if the issue still persists.

> and this is the error in the suricata.log
> Failure when trying to get feature ioctl for “default”;  no such device
> On Mon, Jun 3, 2019 at 10:36 PM David Decker <x.faith at gmail.com> wrote:
>> It could have been --pcap, will have to verify this in the morning.
>> Thanks
>> On Mon, Jun 3, 2019 at 10:24 PM Shivani Bhardwaj <shivanib134 at gmail.com> wrote:
>>> Hi David!
>>> On Tue, Jun 4, 2019 at 9:02 AM David Decker <x.faith at gmail.com> wrote:
>>> >
>>> > Working on a project that uses Suricata, (just rcvd)
>>> > Suricata is failing to start at boot.
>>> >
>>> > One thing we noticed was
>>> > suricata -c suricata.yaml pcap default  (was a command line) where it states it failed.
>>> >
>>> > I understand the -c is for suricata.yaml to use as configuration file, but what is the PCAP default used for?
>>> > Dont think I have seen this before.
>>> > Where is the best place to start troubleshooting?
>>> >
>>> I think you could try the "-vv" option to the command and maybe check
>>> if the logs can reveal something for you then?
>>> There is "--pcap" option for running suricata in PCAP mode (see
>>> https://suricata.readthedocs.io/en/suricata-4.1.3/command-line-options.html#cmdoption-pcap),
>>> however with just "pcap", it seems that the output is the same as
>>> running simply "suricata" on command line.
>>> Let us know if you find anything in the verbose output that we can use
>>> to assist you.
>>> > Thanks
>>> > David
>>> > _______________________________________________
>>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> >
>>> > Conference: https://suricon.net
>>> > Trainings: https://suricata-ids.org/training/
>>> --
>>> Shivani
>>> https://about.me/shivani.bhardwaj


More information about the Oisf-users mailing list