Project

General

Profile

Actions

Bug #3386

closed

Suricata is unable to get MTU from NIC after 4.1.0

Added by Lars Sætaberget about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Since the changes in 4474889667d664a66c1c123f4f7d2756e8a7fbb9 the live_devices list in util-device.h is not ready in time for the automatic MTU detection in suricata.c, which relies on LiveGetDeviceCount().
This causes the count to always return 0, and suricata will then silently use the default 1500 + ethernet header as default-packet-size. Reverting this commit fixes the issue, and allows suricata to use the NIC MTU as default-packet-size.

4.1.5:

(gdb) list suricata.c:2519
2514                    /* fall through */
2515                case RUNMODE_PCAP_DEV:
2516                case RUNMODE_AFP_DEV:
2517                case RUNMODE_PFRING:
2518                    nlive = LiveGetDeviceCount();
2519                    for (lthread = 0; lthread < nlive; lthread++) {
2520                        const char *live_dev = LiveGetDeviceName(lthread);
2521                        char dev[128]; /* need to be able to support GUID names on Windows */
2522                        (void)strlcpy(dev, live_dev, sizeof(dev));
2523
(gdb) br suricata.c:2518
Breakpoint 1 at 0x15c27: file suricata.c, line 2518.
(gdb) run

<snip>

Breakpoint 1, ConfigGetCaptureValue (suri=<optimized out>, suri=<optimized out>) at suricata.c:2518
2518                    nlive = LiveGetDeviceCount();
Missing separate debuginfos, use: debuginfo-install glibc-2.17-292.el7.x86_64 jansson-2.10-1.el7.x86_64 libyaml-0.1.4-11.el7_0.x86_64 pcre-8.32-17.el7.x86_64 zlib-1.2.7-18.el7.x86_64
(gdb) p LiveGetDeviceCount()
$1 = 0

4.1.5 with reverted commit:

(gdb) list suricata.c:2527
2522                    /* fall through */
2523                case RUNMODE_PCAP_DEV:
2524                case RUNMODE_AFP_DEV:
2525                case RUNMODE_PFRING:
2526                    nlive = LiveGetDeviceCount();
2527                    for (lthread = 0; lthread < nlive; lthread++) {
2528                        const char *live_dev = LiveGetDeviceName(lthread);
2529                        char dev[128]; /* need to be able to support GUID names on Windows */
2530                        (void)strlcpy(dev, live_dev, sizeof(dev));
2531
(gdb) br suricata.c:2526
Breakpoint 1 at 0x15c07: file suricata.c, line 2526.
(gdb) run

<snip>

Breakpoint 1, ConfigGetCaptureValue (suri=<optimized out>, suri=<optimized out>) at suricata.c:2526
2526                    nlive = LiveGetDeviceCount();
Missing separate debuginfos, use: debuginfo-install glibc-2.17-292.el7.x86_64 jansson-2.10-1.el7.x86_64 libyaml-0.1.4-11.el7_0.x86_64 pcre-8.32-17.el7.x86_64 zlib-1.2.7-18.el7.x86_64
(gdb) p LiveGetDeviceCount()
$1 = 1

I could try fixing this, but I'm not sure what the best approach would be? Perhaps simply create a seperate function that counts elements in the pre_live_dev list instead?


Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #3391: Suricata is unable to get MTU from NIC after 4.1.0 (4.1.x)ClosedEric LeblondActions
Actions #1

Updated by Victor Julien about 5 years ago

  • Assignee set to Eric Leblond
Actions #2

Updated by Eric Leblond about 5 years ago

Hello Lars, could you test the following branch https://github.com/regit/suricata/tree/fix-mtu ? It should fix the issue.

Actions #4

Updated by Lars Sætaberget about 5 years ago

Yeah that looks good just from a quick test Eric, thanks!
I have only tested the 4.1.x-tree for now though.

Actions #5

Updated by Lars Sætaberget about 5 years ago

Maybe there should be an info log message in the fallback case as well?

Actions #6

Updated by Victor Julien about 5 years ago

  • Status changed from New to Closed
  • Target version set to 5.0.1
Actions #7

Updated by Victor Julien about 5 years ago

  • Copied to Bug #3391: Suricata is unable to get MTU from NIC after 4.1.0 (4.1.x) added
Actions

Also available in: Atom PDF