Feature #1940
closedDebian Jessie - better message when trying to run 2 suricata with afpacket
Added by Peter Manev over 7 years ago. Updated over 4 years ago.
Description
Using - 3.2dev (rev 5dc9c1b) and Debian Jessie - when there is already a running Suricata and a second one is started -
/usr/bin/suricata -c /etc/suricata/suricata.yaml -S test.rules --af-packet
It results in a misleading message:
[16487] 28/10/2016 -- 16:40:08 - (runmode-af-packet.c:404) <Notice> (ParseAFPConfig) -- fanout not supported on this system, falling back to 1 capture thread [16487] 28/10/2016 -- 16:40:08 - (tm-threads.c:2098) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
Files
| Screenshot from 2019-05-29 08-10-09.png (372 KB) Screenshot from 2019-05-29 08-10-09.png | Peter Manev, 05/29/2019 06:10 AM |
Updated by Eric Leblond over 7 years ago
Fix should be implemented by https://github.com/regit/suricata/commit/ed22ba202beec77cb5416702caa0cb21d77767d7. Can you feedback on this ?
Updated by Victor Julien over 7 years ago
- Target version changed from 3.2rc1 to TBD
Updated by Peter Manev over 7 years ago
With the provided fix there is no misleading message but no hit at what could be the reason either:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -v [12182] 29/11/2016 -- 10:34:16 - (suricata.c:1005) <Notice> (SCPrintVersion) -- This is Suricata version 3.2dev (rev ed22ba2) [12182] 29/11/2016 -- 10:34:16 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8 [12182] 29/11/2016 -- 10:34:16 - (app-layer-dnp3.c:1603) <Warning> (RegisterDNP3Parsers) -- [ERRCODE: SC_ERR_DNP3_CONFIG(290)] - No DNP3 configuration found, enabling DNP3 detection on port 20000 [12182] 29/11/2016 -- 10:34:16 - (app-layer-dnp3.c:1618) <Info> (RegisterDNP3Parsers) -- Registering DNP3/tcp parsers. [12182] 29/11/2016 -- 10:34:16 - (util-ioctl.c:105) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'wlan0' [12182] 29/11/2016 -- 10:34:16 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [12182] 29/11/2016 -- 10:34:19 - (detect.c:507) <Info> (SigLoadSignatures) -- 39 rule files processed. 12689 rules successfully loaded, 0 rules failed [12182] 29/11/2016 -- 10:34:19 - (detect.c:3502) <Info> (SigAddressPrepareStage1) -- 12697 signatures processed. 1180 are IP-only rules, 5135 are inspecting packet payload, 8004 inspect application layer, 0 are decoder event only [12182] 29/11/2016 -- 10:34:20 - (util-threshold-config.c:1188) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [12182] 29/11/2016 -- 10:34:20 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log [12182] 29/11/2016 -- 10:34:20 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json [12182] 29/11/2016 -- 10:34:20 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [12182] 29/11/2016 -- 10:34:20 - (util-runmodes.c:285) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s) [12182] 29/11/2016 -- 10:34:20 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [12182] 29/11/2016 -- 10:34:20 - (tm-threads.c:2098) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started. [12183] 29/11/2016 -- 10:34:20 - (source-af-packet.c:476) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.
It is definitely better than before in my view - but it seems the msg - https://github.com/regit/suricata/commit/ed22ba202beec77cb5416702caa0cb21d77767d7#diff-e77389f2d8111b800388ad83c1ca6b73R404 does not kick in ?
Updated by Eric Leblond over 5 years ago
- Subject changed from Debian Jessie - better mesage when trying to run 2 suricata with afpacket to Debian Jessie - better message when trying to run 2 suricata with afpacket
Updated by Peter Manev almost 5 years ago
The message is the same as before but it is better than the original reported here.Tested on Buster/Bullseye with latest master.
Updated by Victor Julien almost 5 years ago
Peter can you paste the output of your latest test?
Updated by Peter Manev almost 5 years ago
Please see attached.
The start line was the same in both screens -
sudo /opt/suritest/bin/suricata -i eno1
Updated by Victor Julien almost 5 years ago
Please copy paste the output in the future Peter.
So it says 'fanout not supported by kernel: Invalid argument'. This doesn't sound useful at all. I would suggest expanding it to something like:
'fanout not supported by kernel: Invalid argument. Kernel too old or cluster-id XX already in use'
Updated by Peter Manev almost 5 years ago
Yes - sorry about that -
[4338] 31/5/2019 -- 11:12:16 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data": 5 [4338] 31/5/2019 -- 11:12:21 - (source-af-packet.c:2002) <Perf> (AFPIsFanoutSupported) -- fanout not supported by kernel: Invalid argument [4338] 31/5/2019 -- 11:12:21 - (runmode-af-packet.c:643) <Config> (ParseAFPConfig) -- eno1: enabling zero copy mode by using data release call [4338] 31/5/2019 -- 11:12:21 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s) [4338] 31/5/2019 -- 11:12:21 - (flow-manager.c:815) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads [4338] 31/5/2019 -- 11:12:21 - (flow-manager.c:976) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads [4338] 31/5/2019 -- 11:12:21 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [4338] 31/5/2019 -- 11:12:21 - (unix-manager.c:131) <Info> (UnixNew) -- Using unix socket file '/opt/suritest/var/run/suricata/suricata-command.socket' [4338] 31/5/2019 -- 11:12:21 - (tm-threads.c:2157) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started. [4340] 31/5/2019 -- 11:12:21 - (source-af-packet.c:1752) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=103 frame_size=1584 frame_nr=2060 [4340] 31/5/2019 -- 11:12:21 - (source-af-packet.c:509) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.
It is better than prior to the fix but maybe could also use/add "ERRCODE/Warning" stanza msg as currently it does not really jump out.
Updated by Victor Julien over 4 years ago
- Related to Optimization #1595: Suricata starts in known conditions of no data added
Updated by Victor Julien over 4 years ago
The relevant message from the above is
[4338] 31/5/2019 -- 11:12:21 - (source-af-packet.c:2002) <Perf> (AFPIsFanoutSupported) -- fanout not supported by kernel: Invalid argument
Updated by Victor Julien over 4 years ago
- Status changed from Feedback to Assigned
- Assignee changed from Eric Leblond to Shivani Bhardwaj
- Target version changed from TBD to 5.0.0
The goal is to get a clearer error/warning message.
Updated by Shivani Bhardwaj over 4 years ago
- Priority changed from Normal to Urgent
Updated by Victor Julien over 4 years ago
- Status changed from Assigned to Closed
- Priority changed from Urgent to Normal