Project

General

Profile

Support #2692

Updated by Victor Julien over 6 years ago

After executed command "/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid    --af-packet=enp179s0f1 -vvv", found error as below.    The kernal version was trying all following version 14.13, 14.15.18, and 14.19.2 but still failed. 


 Reference - https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html 


 <pre> 
 [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:233) <Config> (ParseAFPConfig) -- Enabling tpacket v3 capture on iface enp179s0f1 
 [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:328) <Config> (ParseAFPConfig) -- Using queue based cluster mode for AF_PACKET (iface enp179s0f1) 
 [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:401) <Config> (ParseAFPConfig) -- af-packet will use '/etc/suricata/ebpf/bypass_filter.bpf' as eBPF filter file 
 [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:408) <Config> (ParseAFPConfig) -- Using bypass kernel functionality for AF_PACKET (iface enp179s0f1) 
 libbpf: failed to create map (name: 'flow_table_v4'): Function not implemented 
 libbpf: failed to load object '/etc/suricata/ebpf/bypass_filter.bpf' 
 [9965] 21/11/2018 -- 13:27:52 - (util-ebpf.c:229) <Error> (EBPFLoadFile) -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Permission issue when loading eBPF object: Unknown error -1 (-1) 
 [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:426) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading eBPF filter file 
 [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:643) <Config> (ParseAFPConfig) -- enp179s0f1: enabling zero copy mode by using data release call 
 [9965] 21/11/2018 -- 13:27:52 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 20 thread(s) 
 [10053] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' 
 [10053] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' 
 [10054] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' 
 [10054] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' 
 [10055] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' 
 [10055] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' 
 [10058] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' 
 [10058] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' 
 [10063] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' 
 [10063] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' 
 [10070] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' 
 [10070] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' 
 </pre>

Back