[Oisf-users] Suricata and XDP
Eric Leblond
eric at regit.org
Mon Jun 10 14:58:58 UTC 2019
Hello,
We should have some message from libbpf on stdout. Can we have a look
at it ?
On Mon, 2019-06-10 at 14:26 +0000, ltishend wrote:
> > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > /var/run/suricata.pid --
> > af-packet -vvv and share the full output?
>
> [25180] 10/6/2019 -- 07:22:34 - (suricata.c:1067) <Notice>
> (LogVersion) -- This is Suricata version 5.0.0-dev (rev c1b30fe9f)
> running in SYSTEM mode
> [25180] 10/6/2019 -- 07:22:34 - (util-cpu.c:171) <Info>
> (UtilCpuPrintSummary) -- CPUs/cores online:
> 40
>
> [25180] 10/6/2019 -- 07:22:34 - (tmqh-flow.c:63) <Notice>
> (TmqhFlowRegister) -- using flow hash instead of active
> packets
>
> [25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476) <Info>
> (SCConfLogOpenGeneric) -- eve-log output device (regular)
> initialized: eve.json
> [25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476) <Info>
> (SCConfLogOpenGeneric) -- stats output device (regular) initialized:
> stats.log
> [25180] 10/6/2019 -- 07:22:34 - (util-conf.c:115) <Info>
> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix
> socket
> [25180] 10/6/2019 -- 07:22:44 - (detect-engine-loader.c:351) <Info>
> (SigLoadSignatures) -- 2 rule files processed. 36833 rules
> successfully loaded, 0 rules failed
> [25180] 10/6/2019 -- 07:22:44 - (util-threshold-config.c:1126) <Info>
> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s)
> found
> [25180] 10/6/2019 -- 07:22:45 - (detect-engine-build.c:1426) <Info>
> (SigAddressPrepareStage1) -- 36833 signatures processed. 261 are IP-
> only rules, 13916 are inspecting packet payload, 22463 inspect
> application layer, 103 are decoder event only
> [25180] 10/6/2019 -- 07:23:12 - (runmode-af-packet.c:441) <Info>
> (ParseAFPConfig) -- af-packet will use '/etc/suricata/xdp_filter.bpf'
> as XDP filter file
> [25180] 10/6/2019 -- 07:23:12 - (util-ebpf.c:308) <Error>
> (EBPFSetupXDP) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to
> set XDP on 'enp175s0f1': Invalid argument (-22)
> [25180] 10/6/2019 -- 07:23:12 - (runmode-af-packet.c:486) <Warning>
> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when
> setting up XDP
> [25180] 10/6/2019 -- 07:23:12 - (util-runmodes.c:297) <Info>
> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 13 thread(s)
> [25180] 10/6/2019 -- 07:23:13 - (util-conf.c:115) <Info>
> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix
> socket
> [25180] 10/6/2019 -- 07:23:13 - (unix-manager.c:131) <Info> (UnixNew)
> -- Using unix socket file '/var/run/suricata/suricata-command.socket'
> [25180] 10/6/2019 -- 07:23:13 - (tm-threads.c:2157) <Notice>
> (TmThreadWaitOnThreadInit) -- all 13 packet processing threads, 5
> management threads initialized, engine started.
> [25204] 10/6/2019 -- 07:23:19 - (source-af-packet.c:509) <Info>
> (AFPPeersListReachedInc) -- All AFP capture threads are running.
>
> > ethtool -x your-interface-here
>
> X flow hash indirection table for enp175s0f1 with 13 RX ring(s):
> 0: 0 1 2 3 4 5 6 7
> 8: 8 9 10 11 12 0 1 2
> 16: 3 4 5 6 7 8 9 10
> 24: 11 12 0 1 2 3 4 5
> 32: 6 7 8 9 10 11 12 0
> 40: 1 2 3 4 5 6 7 8
> 48: 9 10 11 12 0 1 2 3
> 56: 4 5 6 7 8 9 10 11
> 64: 12 0 1 2 3 4 5 6
> 72: 7 8 9 10 11 12 0 1
> 80: 2 3 4 5 6 7 8 9
> 88: 10 11 12 0 1 2 3 4
> 96: 5 6 7 8 9 10 11 12
> 104: 0 1 2 3 4 5 6 7
> 112: 8 9 10 11 12 0 1 2
> 120: 3 4 5 6 7 8 9 10
> 128: 11 12 0 1 2 3 4 5
> 136: 6 7 8 9 10 11 12 0
> 144: 1 2 3 4 5 6 7 8
> 152: 9 10 11 12 0 1 2 3
> 160: 4 5 6 7 8 9 10 11
> 168: 12 0 1 2 3 4 5 6
> 176: 7 8 9 10 11 12 0 1
> 184: 2 3 4 5 6 7 8 9
> 192: 10 11 12 0 1 2 3 4
> 200: 5 6 7 8 9 10 11 12
> 208: 0 1 2 3 4 5 6 7
> 216: 8 9 10 11 12 0 1 2
> 224: 3 4 5 6 7 8 9 10
> 232: 11 12 0 1 2 3 4 5
> 240: 6 7 8 9 10 11 12 0
> 248: 1 2 3 4 5 6 7 8
> 256: 9 10 11 12 0 1 2 3
> 264: 4 5 6 7 8 9 10 11
> 272: 12 0 1 2 3 4 5 6
> 280: 7 8 9 10 11 12 0 1
> 288: 2 3 4 5 6 7 8 9
> 296: 10 11 12 0 1 2 3 4
> 304: 5 6 7 8 9 10 11 12
> 312: 0 1 2 3 4 5 6 7
> 320: 8 9 10 11 12 0 1 2
> 328: 3 4 5 6 7 8 9 10
> 336: 11 12 0 1 2 3 4 5
> 344: 6 7 8 9 10 11 12 0
> 352: 1 2 3 4 5 6 7 8
> 360: 9 10 11 12 0 1 2 3
> 368: 4 5 6 7 8 9 10 11
> 376: 12 0 1 2 3 4 5 6
> 384: 7 8 9 10 11 12 0 1
> 392: 2 3 4 5 6 7 8 9
> 400: 10 11 12 0 1 2 3 4
> 408: 5 6 7 8 9 10 11 12
> 416: 0 1 2 3 4 5 6 7
> 424: 8 9 10 11 12 0 1 2
> 432: 3 4 5 6 7 8 9 10
> 440: 11 12 0 1 2 3 4 5
> 448: 6 7 8 9 10 11 12 0
> 456: 1 2 3 4 5 6 7 8
> 464: 9 10 11 12 0 1 2 3
> 472: 4 5 6 7 8 9 10 11
> 480: 12 0 1 2 3 4 5 6
> 488: 7 8 9 10 11 12 0 1
> 496: 2 3 4 5 6 7 8 9
> 504: 10 11 12 0 1 2 3 4
> RSS hash key:
> 6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:
> 5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:
> 6d:5a:6d:5a:6d:5a
> RSS hash function:
> toeplitz: on
> xor: off
> crc32: off
>
> > ethtool -n your-interface-here
>
> 13 RX rings available
> Total 0 rules
>
>
> > -----Original Message-----
> > From: Peter Manev <petermanev at gmail.com>
> > Sent: Saturday, June 8, 2019 12:32 AM
> > To: ltishend <ltishend at uw.edu>
> > Cc: oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Suricata and XDP
> >
> > On Sat, Jun 8, 2019 at 12:45 AM ltishend <ltishend at uw.edu> wrote:
> > > > What is your start command?
> > >
> > > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > > /var/run/suricata.pid --af-packet
> > >
> >
> > Can you please run it again with -
> > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > /var/run/suricata.pid --
> > af-packet -vvv and share the full output?
> >
> > Also what is the output of
> > ethtool -x your-interface-here
> > ethtool -n your-interface-here
> >
> > Thank you
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list