Support #1474
closed
[ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't find iface eth0
Added by Mustaque Ahmad almost 9 years ago.
Updated almost 9 years ago.
Description
After installing Suricata while trying to run /usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet em1 (network interface name)
I got below error message:
root@suricata:/home/suricata# /usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet em1
26/5/2015 -- 15:54:16 - <Notice> - This is Suricata version 2.0.8 RELEASE
26/5/2015 -- 15:54:22 - <Notice> - all 14 packet processing threads, 3 management threads initialized, engine started.
26/5/2015 -- 15:54:22 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
26/5/2015 -- 15:54:22 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't find iface eth0
26/5/2015 -- 15:54:22 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, retrying soon
26/5/2015 -- 15:54:22 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth1: No such device
26/5/2015 -- 15:54:22 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't find iface eth1
26/5/2015 -- 15:54:22 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, retrying soon
26/5/2015 -- 15:54:42 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Can not open iface 'eth0'
26/5/2015 -- 15:54:42 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Can not open iface 'eth1'
^C26/5/2015 -- 15:54:44 - <Notice> - Signal Received. Stopping engine.
26/5/2015 -- 15:54:45 - <Notice> - Stats for 'eth0': pkts: 0, drop: 0 (-nan%), invalid chksum: 0
26/5/2015 -- 15:54:45 - <Notice> - Stats for 'eth1': pkts: 0, drop: 0 (-nan%), invalid chksum: 0
root@suricata:/home/suricata#
my if config detail
root@suricata:/home/suricata# ifconfig
em1 Link encap:Ethernet HWaddr 00:25:90:de:1f:0b
inet addr:10.0.0.45 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::225:90ff:fede:1f0b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10066 errors:0 dropped:37 overruns:0 frame:0
TX packets:2580 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:963821 (963.8 KB) TX bytes:339164 (339.1 KB)
Interrupt:20 Memory:dfb00000-dfb20000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2392 (2.3 KB) TX bytes:2392 (2.3 KB)
You should try
/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet=em1
pending you have configured the suricata.yaml correctly in the af-packet section for interface em1
instead of
/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet em1
Notice "=" missing.
- Tracker changed from Bug to Support
- Description updated (diff)
- Assignee deleted (
Victor Julien)
- Priority changed from High to Normal
- Target version deleted (
2.0.9)
root@suricata:/home/suricata# /usr/bin/suricata c /etc/suricata/suricata.yaml --af-packet=eno1
26/5/2015 - 19:34:25 - <Notice> - This is Suricata version 2.0.8 RELEASE
26/5/2015 -- 19:34:30 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Could not get cluster-id from config
26/5/2015 -- 19:34:30 - <Error> - [ERRCODE: SC_ERR_GET_CLUSTER_TYPE_FAILED(35)] - Could not get cluster-type from config
26/5/2015 -- 19:34:30 - <Notice> - all 13 packet processing threads, 3 management threads initialized, engine started.
Peter Manev wrote:
You should try
[...]
pending you have configured the suricata.yaml correctly in the af-packet section for interface em1
instead of
[...]
Notice "=" missing.
Can you please share the the af-packet section in your config?
In the last update you are using "en01" as an interface, in the first report you have provided an extract if the interfaces available on your system, - "em1" ...which one is it? "em1" or "en01" ?
Hi Peter,
Thank you for looking into this. The interface name was em1 earlier while troubleshooting I changed the em1 to eno1. Currently I am using eno1 interface to run suricata through af-packate capture. Not sure how to deal with above errors (error code 13 and 35). Also how to get af-packet section in your config?
Peter Manev wrote:
Can you please share the the af-packet section in your config?
In the last update you are using "en01" as an interface, in the first report you have provided an extract if the interfaces available on your system, - "em1" ...which one is it? "em1" or "en01" ?
Can you please copy/paste the section in your suricata.yaml regarding af-packet here. (you can use pastebin or similar if you would like )
Peter Manev wrote:
Can you please copy/paste the section in your suricata.yaml regarding af-packet here. (you can use pastebin or similar if you would like )
- Default clusterid. AF_PACKET will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_round_robin: round robin load balancing
# * cluster_flow: all packets of a given flow are send to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
cluster-type: cluster_flow
# In some fragmentation case, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes
# Ring size will be computed with respect to max_pending_packets and number
# of threads. You can set manually the ring size in number of packets by setting
# the following value. If you are using flow cluster-type and have really network
# intensive single-flow you could want to set the ring-size independantly of the number
# of threads:
#ring-size: 2048
# On busy system, this could help to set it to yes to recover from a packet drop
# phase. This will result in some packets (at max a ring flush) being non treated.
#use-emergency-flush: yes
# recv buffer size, increase value could improve performance
# buffer-size: 32768
# Set to yes to disable promiscuous mode
# disable-promisc: no
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - kernel: use indication sent by kernel for each packet (default)
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used.
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
# BPF filter to apply to this interface. The pcap filter syntax apply here.
#bpf-filter: port 80 or udp
# You can use the following variables to activate AF_PACKET tap od IPS mode.
# If copy-mode is set to ips or tap, the traffic coming to the current
# interface will be copied to the copy-iface interface. If 'tap' is set, the
# copy is complete. If 'ips' is set, the packet matching a 'drop' action
# will not be copied.
#copy-mode: ips
#copy-iface: eth1
- interface: eth1
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
# buffer-size: 32768
# disable-promisc: no
# Put default values here
- interface: default
#threads: 2
#use-mmap: yes
Mustaque Ahmad wrote: Hi Peter the issue is fixed. Its just I have to change the interface name in suricata.yaml (config) file. I tested with testmyids.com and able to see the alert. Moreover, I will be configuring port mirroring on switch and connect that to interface 2 of the suricata server. Is there any setting needs to be done so that Suricata will see all the traffic on the network. Please suggest. Thanks for the help..
Peter Manev wrote:
Can you please copy/paste the section in your suricata.yaml regarding af-packet here. (you can use pastebin or similar if you would like )
- Default clusterid. AF_PACKET will load balance packets based on flow.
- All threads/processes that will participate need to have the same
- clusterid.
cluster-id: 99
- Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
- This is only supported for Linux kernel > 3.1
- possible value are:
- * cluster_round_robin: round robin load balancing
- * cluster_flow: all packets of a given flow are send to the same socket
- * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
cluster-type: cluster_flow
- In some fragmentation case, the hash can not be computed. If "defrag" is set
- to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
- To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes
- Ring size will be computed with respect to max_pending_packets and number
- of threads. You can set manually the ring size in number of packets by setting
- the following value. If you are using flow cluster-type and have really network
- intensive single-flow you could want to set the ring-size independantly of the number
- of threads:
#ring-size: 2048
- On busy system, this could help to set it to yes to recover from a packet drop
- phase. This will result in some packets (at max a ring flush) being non treated.
#use-emergency-flush: yes
- recv buffer size, increase value could improve performance
- buffer-size: 32768
- Set to yes to disable promiscuous mode
- disable-promisc: no
- Choose checksum verification mode for the interface. At the moment
- of the capture, some packets may be with an invalid checksum due to
- offloading to the network card of the checksum computation.
- Possible values are:
- - kernel: use indication sent by kernel for each packet (default)
- - yes: checksum validation is forced
- - no: checksum validation is disabled
- - auto: suricata uses a statistical approach to detect when
- checksum off-loading is used.
- Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
- BPF filter to apply to this interface. The pcap filter syntax apply here.
#bpf-filter: port 80 or udp
- You can use the following variables to activate AF_PACKET tap od IPS mode.
- If copy-mode is set to ips or tap, the traffic coming to the current
- interface will be copied to the copy-iface interface. If 'tap' is set, the
- copy is complete. If 'ips' is set, the packet matching a 'drop' action
- will not be copied.
#copy-mode: ips
#copy-iface: eth1
- interface: eth1
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
- buffer-size: 32768
- disable-promisc: no
- Put default values here
- interface: default
#threads: 2
#use-mmap: yes
- Status changed from New to Closed
Also available in: Atom
PDF