Project

General

Custom queries

Profile

Actions

Bug #7618

closed

af-packet: setting bpf fails

Added by Victor Julien 11 days ago. Updated 11 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Regression since 7.0.9 related patches:

sudo ./src/suricata -c suricata.yaml -l /var/log/suricata/ --af-packet=wlp3s0 -v --set af-packet.1.bpf-filter=icmp --set af-packet.1.tpacket-v3=true --set default-rule-path=. --runmode=autofp 
Notice: suricata: This is Suricata version 8.0.0-dev (c7043908c3 2025-03-18) running in SYSTEM mode [LogVersion:suricata.c:1155]
Info: cpu: CPUs/cores online: 16 [UtilCpuPrintSummary:util-cpu.c:149]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2690]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:201]
Info: conf: Running in live mode, activating unix socket [ConfUnixSocketIsEnable:util-conf.c:154]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:654]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:654]
Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:654]
Warning: detect: No rule files match the pattern ./suricata.rules [ProcessSigFiles:detect-engine-loader.c:237]
Warning: detect: 1 rule files specified, but no rules were loaded! [SigLoadSignatures:detect-engine-loader.c:357]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1015]
Info: detect: 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only [SigPrepareStage1:detect-engine-build.c:1812]
Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [UnixNew:unix-manager.c:136]
Warning: af-packet: wlp3s0: tpacket v3 is only implemented for 'workers' runmode. Switching to tpacket v2. [ParseAFPConfig:runmode-af-packet.c:307]
Warning: af-packet: wlp3s0: AF_PACKET tpacket-v3 is recommended for non-inline operation [ParseAFPConfig:runmode-af-packet.c:778]
Info: runmodes: Going to use 16 ReceiveAFP receive thread(s) [RunModeSetLiveCaptureAutoFp:util-runmodes.c:111]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Error: af-packet: wlp3s0: failed to compile BPF "icmp": snaplen of 0 rejects all packets [AFPSetBPFFilter:source-af-packet.c:2161]
Error: af-packet: wlp3s0: failed to init socket for interface [ReceiveAFPLoop:source-af-packet.c:1347]
Error: threads: thread "RX#01" failed to start: flags 0523 [WaitOnThreadsRunningByType:tm-threads.c:1804]

Workaround is specifying default-packet-size on the commandline

sudo ./src/suricata -c suricata.yaml -l /var/log/suricata/ --af-packet=wlp3s0 -v --set af-packet.1.bpf-filter=icmp --set af-packet.1.tpacket-v3=true --set default-rule-path=. --runmode=autofp --set default-packet-size=1514
Notice: suricata: This is Suricata version 8.0.0-dev (c7043908c3 2025-03-18) running in SYSTEM mode [LogVersion:suricata.c:1155]
Info: cpu: CPUs/cores online: 16 [UtilCpuPrintSummary:util-cpu.c:149]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2690]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:201]
Info: conf: Running in live mode, activating unix socket [ConfUnixSocketIsEnable:util-conf.c:154]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:654]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:654]
Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:654]
Warning: detect: No rule files match the pattern ./suricata.rules [ProcessSigFiles:detect-engine-loader.c:237]
Warning: detect: 1 rule files specified, but no rules were loaded! [SigLoadSignatures:detect-engine-loader.c:357]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1015]
Info: detect: 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only [SigPrepareStage1:detect-engine-build.c:1812]
Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [UnixNew:unix-manager.c:136]
Warning: af-packet: wlp3s0: tpacket v3 is only implemented for 'workers' runmode. Switching to tpacket v2. [ParseAFPConfig:runmode-af-packet.c:307]
Warning: af-packet: wlp3s0: AF_PACKET tpacket-v3 is recommended for non-inline operation [ParseAFPConfig:runmode-af-packet.c:778]
Info: runmodes: Going to use 16 ReceiveAFP receive thread(s) [RunModeSetLiveCaptureAutoFp:util-runmodes.c:111]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Info: af-packet: wlp3s0: using BPF 'icmp' [AFPSetBPFFilter:source-af-packet.c:2150]
Notice: threads: Threads created -> RX: 16 W: 16 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1900]
^CNotice: suricata: Signal Received.  Stopping engine. [SuricataMainLoop:suricata.c:2825]


Subtasks 1 (0 open1 closed)

Bug #7619: af-packet: setting bpf fails (7.0.x backport)ClosedVictor JulienActions

Related issues 2 (0 open2 closed)

Has duplicate Suricata - Bug #7625: BPF filters no longer working with Suricata-7.0.9 on Rocky Linux 8RejectedActions
Has duplicate Suricata - Bug #7628: Error: af-packet: ens64: failed to compile BPF "not net 192.168.250.0/24": snaplen of 0 rejects all packetsRejectedActions
Actions #1

Updated by OISF Ticketbot 11 days ago

  • Subtask #7619 added
Actions #2

Updated by OISF Ticketbot 11 days ago

  • Label deleted (Needs backport to 7.0)
Actions #3

Updated by Victor Julien 11 days ago

  • Status changed from New to In Review
Actions #4

Updated by Victor Julien 11 days ago

  • Status changed from In Review to Resolved
Actions #5

Updated by Victor Julien 11 days ago

  • Status changed from Resolved to Closed
Actions #6

Updated by Victor Julien 7 days ago

  • Has duplicate Bug #7625: BPF filters no longer working with Suricata-7.0.9 on Rocky Linux 8 added
Actions #7

Updated by Victor Julien 5 days ago

  • Has duplicate Bug #7628: Error: af-packet: ens64: failed to compile BPF "not net 192.168.250.0/24": snaplen of 0 rejects all packets added
Actions

Also available in: Atom PDF