Actions
Support #2692
closedPlease help found error when Start Suricata with XDP (Kernel 14.15.18, Debian 9, NIC intel X710)
Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Description
After executed command "/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet=enp179s0f1 -vvv", found error as below. The kernal version was trying all following version 14.13, 14.15.18, and 14.19.2 but still failed.
Reference - https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html
[9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:233) <Config> (ParseAFPConfig) -- Enabling tpacket v3 capture on iface enp179s0f1 [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:328) <Config> (ParseAFPConfig) -- Using queue based cluster mode for AF_PACKET (iface enp179s0f1) [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:401) <Config> (ParseAFPConfig) -- af-packet will use '/etc/suricata/ebpf/bypass_filter.bpf' as eBPF filter file [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:408) <Config> (ParseAFPConfig) -- Using bypass kernel functionality for AF_PACKET (iface enp179s0f1) libbpf: failed to create map (name: 'flow_table_v4'): Function not implemented libbpf: failed to load object '/etc/suricata/ebpf/bypass_filter.bpf' [9965] 21/11/2018 -- 13:27:52 - (util-ebpf.c:229) <Error> (EBPFLoadFile) -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Permission issue when loading eBPF object: Unknown error -1 (-1) [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:426) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading eBPF filter file [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:643) <Config> (ParseAFPConfig) -- enp179s0f1: enabling zero copy mode by using data release call [9965] 21/11/2018 -- 13:27:52 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 20 thread(s) [10053] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10053] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10054] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10054] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10055] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10055] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10058] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10058] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10063] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10063] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10070] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10070] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6'
Files
Actions