Bug #3386
closedSuricata is unable to get MTU from NIC after 4.1.0
Description
Since the changes in 4474889667d664a66c1c123f4f7d2756e8a7fbb9 the live_devices list in util-device.h is not ready in time for the automatic MTU detection in suricata.c, which relies on LiveGetDeviceCount().
This causes the count to always return 0, and suricata will then silently use the default 1500 + ethernet header as default-packet-size. Reverting this commit fixes the issue, and allows suricata to use the NIC MTU as default-packet-size.
4.1.5:
(gdb) list suricata.c:2519 2514 /* fall through */ 2515 case RUNMODE_PCAP_DEV: 2516 case RUNMODE_AFP_DEV: 2517 case RUNMODE_PFRING: 2518 nlive = LiveGetDeviceCount(); 2519 for (lthread = 0; lthread < nlive; lthread++) { 2520 const char *live_dev = LiveGetDeviceName(lthread); 2521 char dev[128]; /* need to be able to support GUID names on Windows */ 2522 (void)strlcpy(dev, live_dev, sizeof(dev)); 2523 (gdb) br suricata.c:2518 Breakpoint 1 at 0x15c27: file suricata.c, line 2518. (gdb) run <snip> Breakpoint 1, ConfigGetCaptureValue (suri=<optimized out>, suri=<optimized out>) at suricata.c:2518 2518 nlive = LiveGetDeviceCount(); Missing separate debuginfos, use: debuginfo-install glibc-2.17-292.el7.x86_64 jansson-2.10-1.el7.x86_64 libyaml-0.1.4-11.el7_0.x86_64 pcre-8.32-17.el7.x86_64 zlib-1.2.7-18.el7.x86_64 (gdb) p LiveGetDeviceCount() $1 = 0
4.1.5 with reverted commit:
(gdb) list suricata.c:2527 2522 /* fall through */ 2523 case RUNMODE_PCAP_DEV: 2524 case RUNMODE_AFP_DEV: 2525 case RUNMODE_PFRING: 2526 nlive = LiveGetDeviceCount(); 2527 for (lthread = 0; lthread < nlive; lthread++) { 2528 const char *live_dev = LiveGetDeviceName(lthread); 2529 char dev[128]; /* need to be able to support GUID names on Windows */ 2530 (void)strlcpy(dev, live_dev, sizeof(dev)); 2531 (gdb) br suricata.c:2526 Breakpoint 1 at 0x15c07: file suricata.c, line 2526. (gdb) run <snip> Breakpoint 1, ConfigGetCaptureValue (suri=<optimized out>, suri=<optimized out>) at suricata.c:2526 2526 nlive = LiveGetDeviceCount(); Missing separate debuginfos, use: debuginfo-install glibc-2.17-292.el7.x86_64 jansson-2.10-1.el7.x86_64 libyaml-0.1.4-11.el7_0.x86_64 pcre-8.32-17.el7.x86_64 zlib-1.2.7-18.el7.x86_64 (gdb) p LiveGetDeviceCount() $1 = 1
I could try fixing this, but I'm not sure what the best approach would be? Perhaps simply create a seperate function that counts elements in the pre_live_dev list instead?
Updated by Eric Leblond about 5 years ago
Hello Lars, could you test the following branch https://github.com/regit/suricata/tree/fix-mtu ? It should fix the issue.
Updated by Eric Leblond about 5 years ago
Also did push code for 4.1.x: https://github.com/regit/suricata/tree/fix-mtu-4.1.x
Updated by Lars Sætaberget about 5 years ago
Yeah that looks good just from a quick test Eric, thanks!
I have only tested the 4.1.x-tree for now though.
Updated by Lars Sætaberget about 5 years ago
Maybe there should be an info log message in the fallback case as well?
Updated by Victor Julien about 5 years ago
- Status changed from New to Closed
- Target version set to 5.0.1
Updated by Victor Julien about 5 years ago
- Copied to Bug #3391: Suricata is unable to get MTU from NIC after 4.1.0 (4.1.x) added