Feature #3618
closedAf-packet warning during startup
Description
During startup, the command suricata -c /etc/suricata/suricata.yaml --af-packet can be observed:
[15819] 7/4/2020 - 08.17.39 - (source-af-packet.c: 1426) <Warning> (AFPsynchronizeStart) - [ERRCODE: SC_ERR_AFP_READ (191)] poll failed with retval -1
How critical is this? Does this require a decision on my part?
How critical are the other errors in the screenshot?
Kernel 4.19.114 (own assembly).
OS: Ubuntu 18.04
Suricata: 4.1.7 (compiled from the last commit on 04/07/20)
Part of the config:
- Linux high speed capture support
af-packet:
- interface: ens1f0
threads: 24
defrag: yes
cluster-type: cluster_ebpf
ebpf-lb-file: /etc/suricata/ebpf/lb.bpf
cluster-id: 98
copy-mode: ips
copy-iface: ens1f1
buffer-size: 64535
use-mmap: yes
ring-size: 100000
- interface: ens1f1
threads: 24
cluster-id: 97
defrag: yes
cluster-type: cluster_ebpf
ebpf-lb-file: /etc/suricata/ebpf/lb.bpf
copy-mode: ips
copy-iface: ens1f0
buffer-size: 64535
ring-size: 100000
use-mmap: yes
Files
Updated by Andreas Herz about 4 years ago
The first warnings are related to the rule files, you have some rules that check flowbits but you have no rules that set those flowbits.
Can you try to run it in ids mode for testing instead of ips on only one interface?
What NIC are those interfaces?
Updated by Anonymous about 4 years ago
Can you try to run it in ids mode for testing instead of ips on only one interface?
Yes. I will provide information within three days.
What NIC are those interfaces?
Sorry, did not add. I have intel 350t4v2. I did nothing but recompile the drivers. Are additional settings required?
Updated by Anonymous about 4 years ago
I changed the value of copy-mode: ips to copy-mode: tap , and also turned off all the rules.
Packages still disappear.
Updated by Anonymous about 4 years ago
Oops ... I apologize ... I thought about one thing, and wrote another (not about packages, however).
Yes, the problem with [15819] 7/4/2020 - 08.17.39 - (source-af-packet.c: 1426) <Warning> (AFPsynchronizeStart) - [ERRCODE: SC_ERR_AFP_READ (191)] poll failed with retval -1 repeated.