https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022019-08-15T09:42:32ZOpen Information Security FoundationSuricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=132562019-08-15T09:42:32ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Can you try <br /><pre>
suricata.exe -v -c suricata.yaml -i 10.0.2.15
</pre><br />where for example "10.0.2.15" is the IP of the interface instead?</p>
<p>Do you also have the same issue with 4.1.4 ?</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=132582019-08-15T20:29:24ZThomas Amwoza
<ul></ul><pre><code class="shell syntaxhl" data-language="shell">C:<span class="se">\P</span>rogram Files<span class="se">\S</span>uricata>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix <span class="nb">.</span> : localdomain
Link-local IPv6 Address <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> : fe80::35d8:9818:557a:c65b%2
IPv4 Address. <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> : 192.168.89.130
Subnet Mask <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> : 255.255.255.0
Default Gateway <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> : 192.168.89.2
Tunnel adapter isatap.localdomain:
Media State <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> : Media disconnected
Connection-specific DNS Suffix <span class="nb">.</span> : localdomain
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix <span class="nb">.</span> :
IPv6 Address. <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> : 2001:0:34f1:8072:18ff:3ee9:3f57:a67d
Link-local IPv6 Address <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> : fe80::18ff:3ee9:3f57:a67d%15
Default Gateway <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> : ::
C:<span class="se">\P</span>rogram Files<span class="se">\S</span>uricata>wmic nicconfig get ipaddress,settingid | findstr 192.168.89.130
<span class="o">{</span><span class="s2">"192.168.89.130"</span>, <span class="s2">"fe80::35d8:9818:557a:c65b"</span><span class="o">}</span> <span class="o">{</span>1AA575E3-2FD0-4955-981A-9BD156D4F2BC<span class="o">}</span>
C:<span class="se">\P</span>rogram Files<span class="se">\S</span>uricata>suricata.exe <span class="nt">-c</span> suricata.yaml <span class="nt">-i</span> 192.168.89.130
15/8/2019 <span class="nt">--</span> 15:21:27 - <Info> - Running as service: no
15/8/2019 <span class="nt">--</span> 15:21:27 - <Error> - <span class="o">[</span>ERRCODE: SC_ERR_PCAP_TRANSLATE<span class="o">(</span>201<span class="o">)]</span> - failed to find a pcap device <span class="k">for </span>IP 192.168.89.130
</code></pre>
<p>It just fails straight up when trying to use IP vs Device ID.</p>
<p>Exact same results using 4.1.4 for both IP and Device also.</p>
<p>Also, If I use any version of Npcap newer that 0.992 I get the pcap_dump_fopen error.</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=132602019-08-16T07:43:20ZPeter Manevpetermanev@gmail.com
<ul></ul><p>When you installed npcap - did you enable/click "winpcap compatibility mode" ?</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=132612019-08-16T12:32:18ZThomas Amwoza
<ul></ul><p>Yes, I selected the following options on Npcap install:</p>
<ul>
<li>Automatically start the Npcap driver at boot time</li>
<li>Install Npcap in WinPcap API-compatible Mode</li>
</ul>
<p>Whatever is causing this seems to be specific to Windows 2016 Standard server for me. Following the same process, with the same program versions, on a Windows 2012 Standard server works perfectly.</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=132622019-08-16T15:57:00ZPeter Manevpetermanev@gmail.com
<ul></ul><p>I have 2016 Datacenter edition and it works ok there btw.<br />any chance you could confirm if it is the "edition" that matters in your set up ?</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=132632019-08-16T15:58:17ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Forgot to ask - are you running it as "admin" or regular user?</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=132742019-08-19T14:59:15ZThomas Amwoza
<ul></ul><p>I'm running it as admin, or at least trying to launch it from an admin shell.</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=133082019-08-20T21:35:38ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>Peter Manev</i></li><li><strong>Target version</strong> set to <i>Support</i></li></ul> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=133172019-08-21T11:06:38ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Ok thanks.<br />Would you be able to confirm if the issue is the same on any other 2016 edition? As i was mentioning I dont have that issue on "datacenter" edition - but it may be some other config/set up switch that we can try to narrow down with your help.</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=133312019-08-22T13:06:44ZThomas Amwoza
<ul></ul><p>I'm still using the Standard edition, but I've had better success using a newer version of the installation ISO.</p>
<p>Previously, I was testing under Windows Server 2016 Standard Version 1607 (OS Build 14393.447)<br />Now, I am testing under Windows Server 2016 Standard Version 1607 (OS Build 14393.1884)</p>
<p>So far I've been able to successfully install and run Suricata a few times now, after resetting my testing VM to a pre-installation snapshot between each attempt.</p>
<p>The newer build of Windows seems to have resolved the issues I was having starting Suricata and installing the service.</p>
<p>What is the specfic version of Windows 2016 that you are running (type winver at command prompt)?</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=133612019-08-26T23:18:40ZPeter Manevpetermanev@gmail.com
<ul></ul><p>The windows machines I have tested on in my lab are:</p>
<pre>
OS Name Microsoft Windows Server 2016 Standard
Version 10.0.14393 Build 14393
OS Name Microsoft Windows Server 2016 Datacenter
Version 10.0.14393 Build 14393
OS Name Microsoft Windows 10 Enterprise
Version 10.0.17763 Build 17763
</pre> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=134122019-08-29T19:01:54ZThomas Amwoza
<ul></ul><p>I was hoping to see more detail on your tested build versions for Windows 2016, namely what comes after the 14393 (e.g. 14393.1884).</p>
<p>Regardless, I am working correctly now with npcap 0.992 and Suricata 4.1.3 so I am satisfied there. I'll be using these specific versions in my initial deployment plans.</p>
<p>My next focus will be getting the latest npcap (0.9982) and Suricata (4.1.4) working together. What versions of Windows have you tested as working with this combination?</p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=134792019-09-05T07:41:19ZPeter Manevpetermanev@gmail.com
<ul><li><strong>File</strong> <a href="/attachments/1766">Win10.PNG</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1766/Win10.PNG">Win10.PNG</a> added</li><li><strong>File</strong> <a href="/attachments/1767">Win2016DCE.PNG</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1767/Win2016DCE.PNG">Win2016DCE.PNG</a> added</li><li><strong>File</strong> <a href="/attachments/1768">Win2016Std.PNG</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1768/Win2016Std.PNG">Win2016Std.PNG</a> added</li></ul><p>Sorry for the delay.<br />These are the exact models/numbers -attached.<br />I tried 0.9982 and still experiencing this - <a class="external" href="https://redmine.openinfosecfoundation.org/issues/2968">https://redmine.openinfosecfoundation.org/issues/2968</a></p> Suricata - Support #3115: Problems with starting Suricata on Windows 2016https://redmine.openinfosecfoundation.org/issues/3115?journal_id=174122020-09-05T21:26:39ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p>Hi, we're closing this issue since there have been no further responses. <br />If you think this bug is still relevant, try to test it again with the <br />most recent version of suricata and reopen the issue. If you want to <br />improve the bug report please take a look at <br /><a class="external" href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs</a></p>