[Oisf-users] [EXT] Re: Packet Fanout on CentOS 7?

Cloherty, Sean E scloherty at mitre.org
Tue Nov 19 15:23:24 UTC 2019 

I’ve run the startup with strace and there was nothing obvious there – output attached.  I’ve attached the suricata.log for a -T startup and a normal one, the start script, and the primary yaml – qm.yaml and the other two which it calls.  Those two were broken out so that the same primary yaml could be shared across hosts with the same hardware.

Sean

From: Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: Monday, November 18, 2019 8:11 PM
To: Peter Manev <petermanev at gmail.com>
Cc: Cloherty, Sean E <scloherty at mitre.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] [EXT] Re: Packet Fanout on CentOS 7?

Nah, any af_packet app will start even if the underlying hashing mechanism is not configured correctly. You will just have a hidden packet loss ;)

Can you attach your suricata.yaml and the exact command line you start Suricata with? It looks to me like problems with permissions.

As a bonus can you try strace -o out <your suricata command goes here> and look for errors / access / permission messages in the resulting 'out' file?

On Mon, Nov 18, 2019 at 1:44 PM Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>> wrote:
On Mon, Nov 18, 2019 at 2:51 PM Cloherty, Sean E <scloherty at mitre.org<mailto:scloherty at mitre.org>> wrote:
>
> The NIC is a 10G dual port Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01).  The driver is ixgbe 5.6.3.  I’ve attached the output in a text file.  The script used to start it includes the following from the class  –
>
>
>

I've seen similar errs in a couple of situations:
1 - when there is another Suricata running on the same interface
2 - when using XDP (hw mode) with the wrong/not correct firmware
version of the NIC

From what I gather , it seems you don't have any the situation above
(if I am not mistaken)
Off note: For the cluster_qm part it is known that i40 can do the
symmetric hashing with the specified low entropy key  for ixgbe i am
not sure as i've seen both expected and unexpected results so ti is
something that needs to be further checked.
However there is  a bit more to that even if set up correct - it is
traffic dependent in some cases as well - it's been tracked here
https://redmine.openinfosecfoundation.org/issues/2725

I dont have that much experience with CentOS but will be curious to
see if you have similar issue with CentOS 8


> ##### NIC #####
>
>
>
> ### ens1f1
>
>
>
> ifconfig ens1f1 down
>
> ifconfig ens1f1 up
>
>
>
> /usr/sbin/ethtool -L ens1f1 combined 16
>
> /usr/sbin/ethtool -K ens1f1 rxhash on
>
> /usr/sbin/ethtool -K ens1f1 ntuple on
>
> /usr/sbin/ethtool -X ens1f1 hkey 6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A equal 16
>
> /usr/sbin/ethtool -A ens1f1 rx off
>
> /usr/sbin/ethtool -C ens1f1 adaptive-rx off adaptive-tx off rx-usecs 125
>
> /usr/sbin/ethtool -G ens1f1 rx 1024
>
>
>
> for proto in tcp4 udp4 tcp6 udp6 ; do /usr/local/sbin/ethtool -N ens1f1 rx-flow-hash $proto sdfn ; done
>
>
>
> ##### START #####
>
> LD_PRELOAD="/usr/lib64/libtcmalloc_minimal.so.4" /usr/bin/suricata -c /etc/suricata/qm.yaml --af-packet=ens1f1 -vvv -D
>
>
>
>
>
> From: Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>>
> Sent: Sunday, November 17, 2019 1:59 AM
> To: Cloherty, Sean E <scloherty at mitre.org<mailto:scloherty at mitre.org>>
> Cc: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
> Subject: [EXT] Re: [Oisf-users] Packet Fanout on CentOS 7?
>
>
>
> On 17 Nov 2019, at 02:46, Cloherty, Sean E <scloherty at mitre.org<mailto:scloherty at mitre.org>> wrote:
>
>
>
> 
>
> After taking the Advanced Deployment and Architecture class I was fired up with ideas for improvements in my own environment.  I want to use the cluster_qm mode and match worker/CPUs/RSS queues in CentOS 7.  Has anyone been able to get this working on CentOS 7 or should I start migrating to CentOS 8?  The kernel is 3.10.0-1062.4.1.el7.x86_64, running Suricata 5.0.0 and I was able to set the hash key and the hash functions correctly (I think) -
>
>
>
> RSS hash key:
>
> 6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a
>
> RSS hash function:
>
>     toeplitz: on
>
>     xor: off
>
>     crc32: off
>
>
>
>
>
> When I start Suricata all the messages look good until it gets to AFP when it gives me the message –
>
>
>
> 7/11/2019 -- 14:10:43 - <Notice> - all 16 packet processing threads, 4 management threads initialized, engine started.
>
> 7/11/2019 -- 14:10:43 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argument
>
> 7/11/2019 -- 14:10:43 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
>
> 7/11/2019 -- 14:10:43 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-ens1f1 failed
>
>
>
>
>
> I’ve never tried it CentOS 7 but would recommend trying  8.
>
> What NIC is that ? (think you mentioned Intel but wasn’t sure what driver/model)
>
>
>
> Just to be in the safe side - “-T” (test) run passes ok too? (And there are no other Suri running on the same interface ?)
>
>
>
>
>
> I did take a look at the test script “can-i-use-afpacket-fanout” but my sensors have no internet connection so I am not able to use it via GO. Is there another way to run this if I downloading it manually ?
>
>
>
>
>
> Thanks,
>
>
>
> Sean
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191119/f7fadf72/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: strace.txt
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191119/f7fadf72/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.log
Type: application/octet-stream
Size: 20388 bytes
Desc: suricata.log
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191119/f7fadf72/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata_test_startup.log
Type: application/octet-stream
Size: 17544 bytes
Desc: suricata_test_startup.log
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191119/f7fadf72/attachment-0007.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uniq_idstest.yaml
Type: application/octet-stream
Size: 541 bytes
Desc: uniq_idstest.yaml
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191119/f7fadf72/attachment-0008.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vars.yaml
Type: application/octet-stream
Size: 1398 bytes
Desc: vars.yaml
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191119/f7fadf72/attachment-0009.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qm.yaml
Type: application/octet-stream
Size: 77137 bytes
Desc: qm.yaml
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191119/f7fadf72/attachment-0010.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qmstart.sh
Type: application/octet-stream
Size: 2155 bytes
Desc: qmstart.sh
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191119/f7fadf72/attachment-0011.obj>

More information about the Oisf-users mailing list