Bug #392

suricata fail to start with pcap mode if interface is not specified in command

Added by delta yeh over 2 years ago. Updated over 2 years ago.

Status:ClosedStart date:12/29/2011
Priority:NormalDue date:
Assignee:Eric Leblond% Done:

100%

Category:-Estimated time:2.00 hours
Target version:1.2rc1

Description

I update suricate to latest git master, compile and run suricata with:

src/.libs/suricata --pcap -c /etc/suricata/suricata.yaml

the output is :

[2319] 29/12/2011 -- 07:46:11 - (util-device.c:113) <Info>
(LiveBuildDeviceList) -- Adding interface eth0 from config file
[2319] 29/12/2011 -- 07:46:11 - (runmode-pcap.c:123) <Info>
(ParsePcapConfig) -- Unable to find pcap config for interfaceb?

, using default
value
[2319] 29/12/2011 -- 07:46:11 - (runmode-pcap.c:228) &lt;Info&gt;
(RunModeIdsPcapAuto) -- RunModeIdsPcapAuto initialised
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:347) &lt;Info&gt;
(StreamTcpInitConfig) -- stream "max_sessions": 262144
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:359) &lt;Info&gt;
(StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:375) &lt;Info&gt;
(StreamTcpInitConfig) -- stream "memcap": 33554432
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:381) &lt;Info&gt;
(StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:387) &lt;Info&gt;
(StreamTcpInitConfig) -- stream "async_oneside": disabled
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:404) &lt;Info&gt;
(StreamTcpInitConfig) -- stream "checksum_validation": enabled
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:414) &lt;Info&gt;
(StreamTcpInitConfig) -- stream."inline": disabled
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:432) &lt;Info&gt;
(StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:450) &lt;Info&gt;
(StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:491) &lt;Info&gt;
(StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
[2319] 29/12/2011 -- 07:46:11 - (stream-tcp.c:493) &lt;Info&gt;
(StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
[2322] 29/12/2011 -- 07:46:11 - (source-pcap.c:318) &lt;Info&gt;
(ReceivePcapThreadInit) -- using interfaceb?

[2322] 29/12/2011 -- 07:46:11 - (source-pcap.c:359) <Info>
(ReceivePcapThreadInit) -- Going to use pcap buffer size of 0
[2322] 29/12/2011 -- 07:46:11 - (source-pcap.c:376) <Error>
(ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)]
- Couldn't activate the pcap handler, error SIOCGIFHWADDR: No such
device
[2319] 29/12/2011 -- 07:46:11 - (tm-threads.c:1797) <Error>
(TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)]
thread "ReceivePcap" closed on initialization.
[2319] 29/12/2011 -
07:46:11 - (suricata.c:1599) <Error> (main) --
[ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed,
aborting...

0001-pcap-fix-auto-runmode.patch Magnifier (912 Bytes) Eric Leblond, 01/02/2012 02:42 AM

History

#1 Updated by Victor Julien over 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Eric Leblond
  • Priority changed from High to Normal
  • Target version set to 1.2rc1
  • Estimated time set to 2.00

#2 Updated by Eric Leblond over 2 years ago

The attached patch seems to fix the issue.

#3 Updated by Victor Julien over 2 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 80 to 100

Patch applied, thanks Eric!

Also available in: Atom PDF