Project

General

Profile

Actions

Feature #2774

closed

pcap multi dev support for Windows

Added by Peter Manev about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Using our Suricata msi pkg on 2016 Win server

C:\Program Files\Suricata>
C:\Program Files\Suricata>
C:\Program Files\Suricata>suricata.exe -c suricata.yaml -i 10.0.2.15 -i 192.168.56.101 -vvv
16/1/2019 -- 09:50:40 - <Info> - Running as service: no
16/1/2019 -- 09:50:40 - <Info> - translated 10.0.2.15 to pcap device \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}
16/1/2019 -- 09:50:40 - <Info> - translated 192.168.56.101 to pcap device \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}
16/1/2019 -- 09:50:40 - <Error> - [ERRCODE: SC_ERR_PCAP_MULTI_DEV_NO_SUPPORT(178)] - pcap multi dev support is not (yet) supported on Windows.

C:\Program Files\Suricata>suricata.exe -V
16/1/2019 -- 09:51:24 - <Info> - Running as service: no
This is Suricata version 4.1.2 RELEASE

C:\Program Files\Suricata>

Related issues 1 (0 open1 closed)

Copied to Suricata - Feature #2820: pcap multi dev support for Windows (5.0.x)ClosedVictor JulienActions
Actions #1

Updated by Peter Manev about 5 years ago

If you define it as part of the pcap configuration inside suricata.yaml it works thought:

# Cross platform libpcap capture support
pcap:
  #- interface: eth0
    # On Linux, pcap will try to use mmaped capture and will use buffer-size
    # as total of memory used by the ring. So set this to something bigger
    # than 1% of your bandwidth.
    #buffer-size: 16777216
    #bpf-filter: "tcp and port 25" 
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used. (default)
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: auto
    # With some accelerator cards using a modified libpcap (like myricom), you
    # may want to have the same number of capture threads as the number of capture
    # rings. In this case, set up the threads variable to N to start N threads
    # listening on the same interface.
    #threads: 16
    # set to no to disable promiscuous mode:
    #promisc: no
    # set snaplen, if not set it defaults to MTU if MTU can be known
    # via ioctl call and to full capture if not.
    #snaplen: 1518
  - interface: \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}
  - interface:  \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}
  # Put default values here
  - interface: default
    #checksum-checks: auto

C:\Program Files\Suricata>suricata.exe -c suricata.yaml --pcap -vvv
16/1/2019 -- 09:58:18 - <Info> - Running as service: no
16/1/2019 -- 09:58:18 - <Notice> - This is Suricata version 4.1.2 RELEASE
16/1/2019 -- 09:58:18 - <Info> - CPUs/cores online: 2
16/1/2019 -- 09:58:18 - <Config> - Adding interface \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F} from config file
16/1/2019 -- 09:58:18 - <Config> - Adding interface \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779} from config file
16/1/2019 -- 09:58:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31753 and 'request-body-inspect-window' set to 4236 after randomization.
...
...
16/1/2019 -- 09:58:22 - <Config> - AutoFP mode using "Hash" flow load balancer
16/1/2019 -- 09:58:22 - <Info> - Using 2 live device(s).
16/1/2019 -- 09:58:22 - <Info> - using interface \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}
16/1/2019 -- 09:58:22 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
16/1/2019 -- 09:58:22 - <Info> - Found an MTU of 1500 for '\Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}'
16/1/2019 -- 09:58:22 - <Info> - Set snaplen to 1524 for '\Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}'
16/1/2019 -- 09:58:22 - <Perf> - NIC offloading on \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}: Checksum IPv4 Rx: 0 Tx: 0 IPv6 Rx: 0 Tx: 0 LSOv1 IPv4: 0 LSOv2 IPv4: 0 IPv6: 0
16/1/2019 -- 09:58:22 - <Info> - using interface \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}
16/1/2019 -- 09:58:22 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - COM CoInitializeSecurity failed: 0x80010119
16/1/2019 -- 09:58:22 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
16/1/2019 -- 09:58:22 - <Info> - Found an MTU of 1500 for '\Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}'
16/1/2019 -- 09:58:22 - <Info> - Set snaplen to 1524 for '\Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}'
16/1/2019 -- 09:58:22 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}: Checksum IPv4 Rx: 1 Tx: 1 IPv6 Rx: 0 Tx: 0 LSOv1 IPv4: 1 LSOv2 IPv4: 0 IPv6: 0
16/1/2019 -- 09:58:22 - <Info> - RunModeIdsPcapAutoFp initialised
16/1/2019 -- 09:58:22 - <Config> - using 1 flow manager threads
16/1/2019 -- 09:58:22 - <Config> - using 1 flow recycler threads
16/1/2019 -- 09:58:23 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.

Actions #2

Updated by Peter Manev about 5 years ago

  • Subject changed from pcap multi dev support is for Windows to pcap multi dev support for Windows
Actions #3

Updated by Victor Julien about 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 4.1.3
Actions #4

Updated by Victor Julien about 5 years ago

  • Copied to Feature #2820: pcap multi dev support for Windows (5.0.x) added
Actions #5

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF