Bug #1013
closedcommand line parsing
Description
suricata --pfring-int=eth3 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/peter-yaml/suricata-pfring.yaml -D -v - /etc/suricata/peter-yaml/empty.rules
Notice above the missing parameter in(S or s intended):
- /etc/suricata/peter-yaml/empty.rules
Suricata still starts and does not err out or display warning.
Updated by Victor Julien over 10 years ago
- Target version set to TBD
In pcap file reading mode this actually does error out:
[17355] 30/10/2013 -- 12:59:53 - (source-pcap-file.c:270) <Error> (ReceivePcapFileThreadInit) -- [ERRCODE: SC_ERR_BPF(127)] - bpf compilation error syntax error [17354] 30/10/2013 -- 12:59:53 - (tm-threads.c:2179) <Error> (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "ReceivePcapFile" closed on initialization. [17354] 30/10/2013 -- 12:59:53 - (suricata.c:2130) <Error> (main) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
I guess getopt ignores the single - and we treat what follows as a bpf string. Maybe we ignore it in case we have per interface bpf's instead.
Updated by Jason Taylor over 5 years ago
- Assignee changed from Anonymous to Jason Taylor
Updated by Victor Julien about 5 years ago
Hi Jason, did you check how this works with the current master? I think the capture methods give better output now if a portion of the commandline is interpreted as bpf.
Updated by Jason Taylor about 5 years ago
No, I haven't had a chance to revisit this yet. I am still planning on getting to it. Hopefully in the next week or so.
Updated by Jason Taylor about 5 years ago
For af-packet in current master:
jason@dinosaur suri]$ sudo suricata --af-packet=wlp1s0 c suricata.yaml - 19:32:37 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'extended' redefined.
[4180] 26/2/2019 -
[4180] 26/2/2019 -- 19:32:37 - (suricata.c:1058) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (rev d6903e70c)
[4180] 26/2/2019 -- 19:32:37 - (util-ioctl.c:324) <Warning> (SetEthtoolValue) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'wlp1s0': Operation not supported (95)
[4180] 26/2/2019 -- 19:32:37 - (tm-threads.c:2157) <Notice> (TmThreadWaitOnThreadInit) -- all 4 packet processing threads, 2 management threads initialized, engine started.
[4181] 26/2/2019 -- 19:32:37 - (source-af-packet.c:2263) <Error> (AFPSetBPFFilter) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to compile BPF "-": syntax error in filter expression: syntax error
[4181] 26/2/2019 -- 19:32:37 - (source-af-packet.c:1497) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
[4180] 26/2/2019 -- 19:32:37 - (tm-threads.c:2074) <Error> (TmThreadCheckThreadState) -- [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-wlp1s0 failed
So it looks like this is handled with better logging. I need to set up a pfring box yet to test that.
Updated by Jason Taylor about 5 years ago
current pf_ring behavior on master:
sudo suricata --pfring-int=ens3 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c ./suricata.yaml - -vv
[4025] 12/3/2019 -- 14:09:26 - (util-ioctl.c:442) <Perf> (DisableIfaceOffloadingLinux) -- ens3: disabling gro offloading
[4025] 12/3/2019 -- 14:09:26 - (util-ioctl.c:449) <Perf> (DisableIfaceOffloadingLinux) -- ens3: disabling tso offloading
[4025] 12/3/2019 -- 14:09:26 - (util-ioctl.c:456) <Perf> (DisableIfaceOffloadingLinux) -- ens3: disabling gso offloading
[4025] 12/3/2019 -- 14:09:26 - (util-ioctl.c:463) <Perf> (DisableIfaceOffloadingLinux) -- ens3: disabling sg offloading
[4025] 12/3/2019 -- 14:09:26 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[4026] 12/3/2019 -- 14:09:26 - (source-pfring.c:528) <Perf> (ReceivePfringThreadInit) -- Enabling zero-copy for ens3
[4026] 12/3/2019 -- 14:09:26 - (source-pfring.c:604) <Perf> (ReceivePfringThreadInit) -- (W#01-ens3) Using PF_RING v.7.5.0, interface ens3, cluster-id 99, single-pfring-thread
[4026] 12/3/2019 -- 14:09:26 - (source-pfring.c:618) <Info> (ReceivePfringThreadInit) -- Set PF_RING bpf filter "-" failed.
[4025] 12/3/2019 -- 14:09:26 - (runmode-pfring.c:541) <Info> (RunModeIdsPfringWorkers) -- RunModeIdsPfringWorkers initialised
[4025] 12/3/2019 -- 14:09:26 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[4025] 12/3/2019 -- 14:09:26 - (unix-manager.c:131) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket'
[4025] 12/3/2019 -- 14:09:26 - (tm-threads.c:2157) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
Updated by Jason Taylor about 5 years ago
So the behavior is a little different, when using af-packet logs an error and fails to load, pfring logs an error but loads suricata.
Is that the expected behavior?
Updated by Victor Julien about 5 years ago
I think it should be consistent for all capture methods, and I'd like this to be an error instead of a warning disguised as a 'info' message. Are you interested in updating the pfring code?
Updated by Victor Julien about 5 years ago
- Status changed from New to Closed
- Target version changed from TBD to 5.0beta1