[Oisf-users] Packet Fanout on CentOS 7?
Michał Purzyński
michalpurzynski1 at gmail.com
Sun Nov 17 10:22:25 UTC 2019
This cannot possibly be problems with the card or the configuration of the card. That’s a problem at a higher layer. You’re sure the Suricata process has cap_net_raw?
> On Nov 16, 2019, at 10:58 PM, Peter Manev <petermanev at gmail.com> wrote:
>
> On 17 Nov 2019, at 02:46, Cloherty, Sean E <scloherty at mitre.org> wrote:
>>
>>
>> After taking the Advanced Deployment and Architecture class I was fired up with ideas for improvements in my own environment. I want to use the cluster_qm mode and match worker/CPUs/RSS queues in CentOS 7. Has anyone been able to get this working on CentOS 7 or should I start migrating to CentOS 8? The kernel is 3.10.0-1062.4.1.el7.x86_64, running Suricata 5.0.0 and I was able to set the hash key and the hash functions correctly (I think) -
>>
>> RSS hash key:
>> 6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a
>> RSS hash function:
>> toeplitz: on
>> xor: off
>> crc32: off
>>
>>
>> When I start Suricata all the messages look good until it gets to AFP when it gives me the message –
>>
>> 7/11/2019 -- 14:10:43 - <Notice> - all 16 packet processing threads, 4 management threads initialized, engine started.
>> 7/11/2019 -- 14:10:43 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argument
>> 7/11/2019 -- 14:10:43 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
>> 7/11/2019 -- 14:10:43 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-ens1f1 failed
>>
>
> I’ve never tried it CentOS 7 but would recommend trying 8.
> What NIC is that ? (think you mentioned Intel but wasn’t sure what driver/model)
>
> Just to be in the safe side - “-T” (test) run passes ok too? (And there are no other Suri running on the same interface ?)
>
>
>> I did take a look at the test script “can-i-use-afpacket-fanout” but my sensors have no internet connection so I am not able to use it via GO. Is there another way to run this if I downloading it manually ?
>>
>>
>> Thanks,
>>
>> Sean
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191117/1e4d6c55/attachment-0001.html>
More information about the Oisf-users
mailing list