Support #1474
closed[ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't find iface eth0
Description
After installing Suricata while trying to run /usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet em1 (network interface name)
I got below error message:
root@suricata:/home/suricata# /usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet em1 26/5/2015 -- 15:54:16 - <Notice> - This is Suricata version 2.0.8 RELEASE 26/5/2015 -- 15:54:22 - <Notice> - all 14 packet processing threads, 3 management threads initialized, engine started. 26/5/2015 -- 15:54:22 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device 26/5/2015 -- 15:54:22 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't find iface eth0 26/5/2015 -- 15:54:22 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, retrying soon 26/5/2015 -- 15:54:22 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth1: No such device 26/5/2015 -- 15:54:22 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't find iface eth1 26/5/2015 -- 15:54:22 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, retrying soon 26/5/2015 -- 15:54:42 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Can not open iface 'eth0' 26/5/2015 -- 15:54:42 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Can not open iface 'eth1' ^C26/5/2015 -- 15:54:44 - <Notice> - Signal Received. Stopping engine. 26/5/2015 -- 15:54:45 - <Notice> - Stats for 'eth0': pkts: 0, drop: 0 (-nan%), invalid chksum: 0 26/5/2015 -- 15:54:45 - <Notice> - Stats for 'eth1': pkts: 0, drop: 0 (-nan%), invalid chksum: 0 root@suricata:/home/suricata#
my if config detail
root@suricata:/home/suricata# ifconfig
em1 Link encap:Ethernet HWaddr 00:25:90:de:1f:0b
inet addr:10.0.0.45 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::225:90ff:fede:1f0b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10066 errors:0 dropped:37 overruns:0 frame:0
TX packets:2580 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:963821 (963.8 KB) TX bytes:339164 (339.1 KB)
Interrupt:20 Memory:dfb00000-dfb20000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2392 (2.3 KB) TX bytes:2392 (2.3 KB)
Updated by Peter Manev about 10 years ago
You should try
/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet=em1
pending you have configured the suricata.yaml correctly in the af-packet section for interface em1
instead of
/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet em1
Notice "=" missing.
Updated by Victor Julien about 10 years ago
- Tracker changed from Bug to Support
- Description updated (diff)
- Assignee deleted (
Victor Julien) - Priority changed from High to Normal
- Target version deleted (
2.0.9)
Updated by Mustaque Ahmad about 10 years ago
root@suricata:/home/suricata# /usr/bin/suricata c /etc/suricata/suricata.yaml --af-packet=eno1 19:34:25 - <Notice> - This is Suricata version 2.0.8 RELEASE
26/5/2015 -
26/5/2015 -- 19:34:30 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Could not get cluster-id from config
26/5/2015 -- 19:34:30 - <Error> - [ERRCODE: SC_ERR_GET_CLUSTER_TYPE_FAILED(35)] - Could not get cluster-type from config
26/5/2015 -- 19:34:30 - <Notice> - all 13 packet processing threads, 3 management threads initialized, engine started.
Peter Manev wrote:
You should try
[...]
pending you have configured the suricata.yaml correctly in the af-packet section for interface em1instead of
[...]Notice "=" missing.
Updated by Peter Manev about 10 years ago
Can you please share the the af-packet section in your config?
In the last update you are using "en01" as an interface, in the first report you have provided an extract if the interfaces available on your system, - "em1" ...which one is it? "em1" or "en01" ?
Updated by Mustaque Ahmad about 10 years ago
Hi Peter,
Thank you for looking into this. The interface name was em1 earlier while troubleshooting I changed the em1 to eno1. Currently I am using eno1 interface to run suricata through af-packate capture. Not sure how to deal with above errors (error code 13 and 35). Also how to get af-packet section in your config?
Peter Manev wrote:Can you please share the the af-packet section in your config?
In the last update you are using "en01" as an interface, in the first report you have provided an extract if the interfaces available on your system, - "em1" ...which one is it? "em1" or "en01" ?
Updated by Peter Manev about 10 years ago
Can you please copy/paste the section in your suricata.yaml regarding af-packet here. (you can use pastebin or similar if you would like )
Updated by Mustaque Ahmad about 10 years ago
Peter Manev wrote:
Can you please copy/paste the section in your suricata.yaml regarding af-packet here. (you can use pastebin or similar if you would like )
- Default clusterid. AF_PACKET will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99 # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. # This is only supported for Linux kernel > 3.1 # possible value are: # * cluster_round_robin: round robin load balancing # * cluster_flow: all packets of a given flow are send to the same socket # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
cluster-type: cluster_flow # In some fragmentation case, the hash can not be computed. If "defrag" is set # to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes # Ring size will be computed with respect to max_pending_packets and number # of threads. You can set manually the ring size in number of packets by setting # the following value. If you are using flow cluster-type and have really network # intensive single-flow you could want to set the ring-size independantly of the number # of threads:
#ring-size: 2048 # On busy system, this could help to set it to yes to recover from a packet drop # phase. This will result in some packets (at max a ring flush) being non treated.
#use-emergency-flush: yes # recv buffer size, increase value could improve performance # buffer-size: 32768 # Set to yes to disable promiscuous mode # disable-promisc: no # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. # Possible values are: # - kernel: use indication sent by kernel for each packet (default) # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. # Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel # BPF filter to apply to this interface. The pcap filter syntax apply here.
#bpf-filter: port 80 or udp # You can use the following variables to activate AF_PACKET tap od IPS mode. # If copy-mode is set to ips or tap, the traffic coming to the current # interface will be copied to the copy-iface interface. If 'tap' is set, the # copy is complete. If 'ips' is set, the packet matching a 'drop' action # will not be copied.
#copy-mode: ips
#copy-iface: eth1
- interface: eth1
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes # buffer-size: 32768 # disable-promisc: no # Put default values here
- interface: default
#threads: 2
#use-mmap: yes
Updated by Mustaque Ahmad about 10 years ago
Mustaque Ahmad wrote: Hi Peter the issue is fixed. Its just I have to change the interface name in suricata.yaml (config) file. I tested with testmyids.com and able to see the alert. Moreover, I will be configuring port mirroring on switch and connect that to interface 2 of the suricata server. Is there any setting needs to be done so that Suricata will see all the traffic on the network. Please suggest. Thanks for the help..
Peter Manev wrote:
Can you please copy/paste the section in your suricata.yaml regarding af-packet here. (you can use pastebin or similar if you would like )
- Default clusterid. AF_PACKET will load balance packets based on flow.
- All threads/processes that will participate need to have the same
- clusterid.
cluster-id: 99- Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
- This is only supported for Linux kernel > 3.1
- possible value are:
- * cluster_round_robin: round robin load balancing
- * cluster_flow: all packets of a given flow are send to the same socket
- * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
cluster-type: cluster_flow- In some fragmentation case, the hash can not be computed. If "defrag" is set
- to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes- To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes- Ring size will be computed with respect to max_pending_packets and number
- of threads. You can set manually the ring size in number of packets by setting
- the following value. If you are using flow cluster-type and have really network
- intensive single-flow you could want to set the ring-size independantly of the number
- of threads:
#ring-size: 2048- On busy system, this could help to set it to yes to recover from a packet drop
- phase. This will result in some packets (at max a ring flush) being non treated.
#use-emergency-flush: yes- recv buffer size, increase value could improve performance
- buffer-size: 32768
- Set to yes to disable promiscuous mode
- disable-promisc: no
- Choose checksum verification mode for the interface. At the moment
- of the capture, some packets may be with an invalid checksum due to
- offloading to the network card of the checksum computation.
- Possible values are:
- - kernel: use indication sent by kernel for each packet (default)
- - yes: checksum validation is forced
- - no: checksum validation is disabled
- - auto: suricata uses a statistical approach to detect when
- checksum off-loading is used.
- Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel- BPF filter to apply to this interface. The pcap filter syntax apply here.
#bpf-filter: port 80 or udp- You can use the following variables to activate AF_PACKET tap od IPS mode.
- If copy-mode is set to ips or tap, the traffic coming to the current
- interface will be copied to the copy-iface interface. If 'tap' is set, the
- copy is complete. If 'ips' is set, the packet matching a 'drop' action
- will not be copied.
#copy-mode: ips
#copy-iface: eth1
- interface: eth1
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes- buffer-size: 32768
- disable-promisc: no
- Put default values here
- interface: default
#threads: 2
#use-mmap: yes
Updated by Peter Manev about 10 years ago
- Status changed from New to Closed
Marking as resolved.
As long as you mirror the traffic onto a interface that Suricata is listening to - you should be good.
Make sure you disable offloading on the NIC - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction#NIC-offloading