Actions
Feature #2774
closedpcap multi dev support for Windows
Effort:
Difficulty:
Label:
Description
Using our Suricata msi pkg on 2016 Win server
C:\Program Files\Suricata> C:\Program Files\Suricata> C:\Program Files\Suricata>suricata.exe -c suricata.yaml -i 10.0.2.15 -i 192.168.56.101 -vvv 16/1/2019 -- 09:50:40 - <Info> - Running as service: no 16/1/2019 -- 09:50:40 - <Info> - translated 10.0.2.15 to pcap device \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F} 16/1/2019 -- 09:50:40 - <Info> - translated 192.168.56.101 to pcap device \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779} 16/1/2019 -- 09:50:40 - <Error> - [ERRCODE: SC_ERR_PCAP_MULTI_DEV_NO_SUPPORT(178)] - pcap multi dev support is not (yet) supported on Windows. C:\Program Files\Suricata>suricata.exe -V 16/1/2019 -- 09:51:24 - <Info> - Running as service: no This is Suricata version 4.1.2 RELEASE C:\Program Files\Suricata>
Updated by Peter Manev almost 6 years ago
If you define it as part of the pcap configuration inside suricata.yaml it works thought:
# Cross platform libpcap capture support pcap: #- interface: eth0 # On Linux, pcap will try to use mmaped capture and will use buffer-size # as total of memory used by the ring. So set this to something bigger # than 1% of your bandwidth. #buffer-size: 16777216 #bpf-filter: "tcp and port 25" # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. # Possible values are: # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. (default) # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto # With some accelerator cards using a modified libpcap (like myricom), you # may want to have the same number of capture threads as the number of capture # rings. In this case, set up the threads variable to N to start N threads # listening on the same interface. #threads: 16 # set to no to disable promiscuous mode: #promisc: no # set snaplen, if not set it defaults to MTU if MTU can be known # via ioctl call and to full capture if not. #snaplen: 1518 - interface: \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F} - interface: \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779} # Put default values here - interface: default #checksum-checks: auto
C:\Program Files\Suricata>suricata.exe -c suricata.yaml --pcap -vvv 16/1/2019 -- 09:58:18 - <Info> - Running as service: no 16/1/2019 -- 09:58:18 - <Notice> - This is Suricata version 4.1.2 RELEASE 16/1/2019 -- 09:58:18 - <Info> - CPUs/cores online: 2 16/1/2019 -- 09:58:18 - <Config> - Adding interface \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F} from config file 16/1/2019 -- 09:58:18 - <Config> - Adding interface \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779} from config file 16/1/2019 -- 09:58:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31753 and 'request-body-inspect-window' set to 4236 after randomization. ... ... 16/1/2019 -- 09:58:22 - <Config> - AutoFP mode using "Hash" flow load balancer 16/1/2019 -- 09:58:22 - <Info> - Using 2 live device(s). 16/1/2019 -- 09:58:22 - <Info> - using interface \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F} 16/1/2019 -- 09:58:22 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 16/1/2019 -- 09:58:22 - <Info> - Found an MTU of 1500 for '\Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}' 16/1/2019 -- 09:58:22 - <Info> - Set snaplen to 1524 for '\Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}' 16/1/2019 -- 09:58:22 - <Perf> - NIC offloading on \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}: Checksum IPv4 Rx: 0 Tx: 0 IPv6 Rx: 0 Tx: 0 LSOv1 IPv4: 0 LSOv2 IPv4: 0 IPv6: 0 16/1/2019 -- 09:58:22 - <Info> - using interface \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779} 16/1/2019 -- 09:58:22 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - COM CoInitializeSecurity failed: 0x80010119 16/1/2019 -- 09:58:22 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 16/1/2019 -- 09:58:22 - <Info> - Found an MTU of 1500 for '\Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}' 16/1/2019 -- 09:58:22 - <Info> - Set snaplen to 1524 for '\Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}' 16/1/2019 -- 09:58:22 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}: Checksum IPv4 Rx: 1 Tx: 1 IPv6 Rx: 0 Tx: 0 LSOv1 IPv4: 1 LSOv2 IPv4: 0 IPv6: 0 16/1/2019 -- 09:58:22 - <Info> - RunModeIdsPcapAutoFp initialised 16/1/2019 -- 09:58:22 - <Config> - using 1 flow manager threads 16/1/2019 -- 09:58:22 - <Config> - using 1 flow recycler threads 16/1/2019 -- 09:58:23 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
Updated by Peter Manev almost 6 years ago
- Subject changed from pcap multi dev support is for Windows to pcap multi dev support for Windows
Updated by Victor Julien almost 6 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 4.1.3
Updated by Victor Julien almost 6 years ago
- Copied to Feature #2820: pcap multi dev support for Windows (5.0.x) added
Updated by Victor Julien almost 6 years ago
- Status changed from Assigned to Closed
Actions