[Oisf-users] Suricata and XDP
ltishend
ltishend at uw.edu
Mon Jun 10 14:26:23 UTC 2019
> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --
> af-packet -vvv and share the full output?
[25180] 10/6/2019 -- 07:22:34 - (suricata.c:1067) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (rev c1b30fe9f) running in SYSTEM mode
[25180] 10/6/2019 -- 07:22:34 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 40
[25180] 10/6/2019 -- 07:22:34 - (tmqh-flow.c:63) <Notice> (TmqhFlowRegister) -- using flow hash instead of active packets
[25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[25180] 10/6/2019 -- 07:22:34 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[25180] 10/6/2019 -- 07:22:44 - (detect-engine-loader.c:351) <Info> (SigLoadSignatures) -- 2 rule files processed. 36833 rules successfully loaded, 0 rules failed
[25180] 10/6/2019 -- 07:22:44 - (util-threshold-config.c:1126) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[25180] 10/6/2019 -- 07:22:45 - (detect-engine-build.c:1426) <Info> (SigAddressPrepareStage1) -- 36833 signatures processed. 261 are IP-only rules, 13916 are inspecting packet payload, 22463 inspect application layer, 103 are decoder event only
[25180] 10/6/2019 -- 07:23:12 - (runmode-af-packet.c:441) <Info> (ParseAFPConfig) -- af-packet will use '/etc/suricata/xdp_filter.bpf' as XDP filter file
[25180] 10/6/2019 -- 07:23:12 - (util-ebpf.c:308) <Error> (EBPFSetupXDP) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to set XDP on 'enp175s0f1': Invalid argument (-22)
[25180] 10/6/2019 -- 07:23:12 - (runmode-af-packet.c:486) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when setting up XDP
[25180] 10/6/2019 -- 07:23:12 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 13 thread(s)
[25180] 10/6/2019 -- 07:23:13 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[25180] 10/6/2019 -- 07:23:13 - (unix-manager.c:131) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket'
[25180] 10/6/2019 -- 07:23:13 - (tm-threads.c:2157) <Notice> (TmThreadWaitOnThreadInit) -- all 13 packet processing threads, 5 management threads initialized, engine started.
[25204] 10/6/2019 -- 07:23:19 - (source-af-packet.c:509) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.
> ethtool -x your-interface-here
X flow hash indirection table for enp175s0f1 with 13 RX ring(s):
0: 0 1 2 3 4 5 6 7
8: 8 9 10 11 12 0 1 2
16: 3 4 5 6 7 8 9 10
24: 11 12 0 1 2 3 4 5
32: 6 7 8 9 10 11 12 0
40: 1 2 3 4 5 6 7 8
48: 9 10 11 12 0 1 2 3
56: 4 5 6 7 8 9 10 11
64: 12 0 1 2 3 4 5 6
72: 7 8 9 10 11 12 0 1
80: 2 3 4 5 6 7 8 9
88: 10 11 12 0 1 2 3 4
96: 5 6 7 8 9 10 11 12
104: 0 1 2 3 4 5 6 7
112: 8 9 10 11 12 0 1 2
120: 3 4 5 6 7 8 9 10
128: 11 12 0 1 2 3 4 5
136: 6 7 8 9 10 11 12 0
144: 1 2 3 4 5 6 7 8
152: 9 10 11 12 0 1 2 3
160: 4 5 6 7 8 9 10 11
168: 12 0 1 2 3 4 5 6
176: 7 8 9 10 11 12 0 1
184: 2 3 4 5 6 7 8 9
192: 10 11 12 0 1 2 3 4
200: 5 6 7 8 9 10 11 12
208: 0 1 2 3 4 5 6 7
216: 8 9 10 11 12 0 1 2
224: 3 4 5 6 7 8 9 10
232: 11 12 0 1 2 3 4 5
240: 6 7 8 9 10 11 12 0
248: 1 2 3 4 5 6 7 8
256: 9 10 11 12 0 1 2 3
264: 4 5 6 7 8 9 10 11
272: 12 0 1 2 3 4 5 6
280: 7 8 9 10 11 12 0 1
288: 2 3 4 5 6 7 8 9
296: 10 11 12 0 1 2 3 4
304: 5 6 7 8 9 10 11 12
312: 0 1 2 3 4 5 6 7
320: 8 9 10 11 12 0 1 2
328: 3 4 5 6 7 8 9 10
336: 11 12 0 1 2 3 4 5
344: 6 7 8 9 10 11 12 0
352: 1 2 3 4 5 6 7 8
360: 9 10 11 12 0 1 2 3
368: 4 5 6 7 8 9 10 11
376: 12 0 1 2 3 4 5 6
384: 7 8 9 10 11 12 0 1
392: 2 3 4 5 6 7 8 9
400: 10 11 12 0 1 2 3 4
408: 5 6 7 8 9 10 11 12
416: 0 1 2 3 4 5 6 7
424: 8 9 10 11 12 0 1 2
432: 3 4 5 6 7 8 9 10
440: 11 12 0 1 2 3 4 5
448: 6 7 8 9 10 11 12 0
456: 1 2 3 4 5 6 7 8
464: 9 10 11 12 0 1 2 3
472: 4 5 6 7 8 9 10 11
480: 12 0 1 2 3 4 5 6
488: 7 8 9 10 11 12 0 1
496: 2 3 4 5 6 7 8 9
504: 10 11 12 0 1 2 3 4
RSS hash key:
6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a
RSS hash function:
toeplitz: on
xor: off
crc32: off
> ethtool -n your-interface-here
13 RX rings available
Total 0 rules
> -----Original Message-----
> From: Peter Manev <petermanev at gmail.com>
> Sent: Saturday, June 8, 2019 12:32 AM
> To: ltishend <ltishend at uw.edu>
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata and XDP
>
> On Sat, Jun 8, 2019 at 12:45 AM ltishend <ltishend at uw.edu> wrote:
> >
> > >What is your start command?
> >
> > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > /var/run/suricata.pid --af-packet
> >
>
> Can you please run it again with -
> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --
> af-packet -vvv and share the full output?
>
> Also what is the output of
> ethtool -x your-interface-here
> ethtool -n your-interface-here
>
> Thank you
>
>
>
> --
> Regards,
> Peter Manev
More information about the Oisf-users
mailing list