Support #2721
Updated by Victor Julien over 5 years ago
I receive the following error when running Suricata. The command to run is: 'suricata -i ${INTERFACE} -v -F /etc/suricata/capture-filter.bpf' where INTERFACE is in the logs below.
<pre>
suricata | 2/12/2018 -- 02:57:52 - <Warning> - [ERRCODE: SC_WARN_PCAP_MULTI_DEV_EXPERIMENTAL(177)] - using multiple devices to get packets is experimental.
suricata | 2/12/2018 -- 02:57:52 - <Info> - Multiple af-packet option without interface on each is useless
suricata | 2/12/2018 -- 02:57:52 - <Notice> - This is Suricata version 4.0.1 RELEASE
suricata | 2/12/2018 -- 02:57:52 - <Info> - CPUs/cores online: 24
suricata | 2/12/2018 -- 02:57:52 - <Info> - Found an MTU of 1500 for 'enp7s0f0'
suricata | 2/12/2018 -- 02:57:52 - <Info> - Found an MTU of 1500 for 'enp7s0f0'
suricata | 2/12/2018 -- 02:58:02 - <Info> - 53 rule files processed. 22907 rules successfully loaded, 0 rules failed
suricata | 2/12/2018 -- 02:58:02 - <Info> - Threshold config parsed: 0 rule(s) found
suricata | 2/12/2018 -- 02:58:03 - <Info> - 22924 signatures processed. 1197 are IP-only rules, 8572 are inspecting packet payload, 15856 inspect application layer, 105 are decoder event only
suricata | 2/12/2018 -- 02:58:06 - <Info> - dropped the caps for main thread
suricata | 2/12/2018 -- 02:58:06 - <Info> - eve-log output device (regular) initialized: eve.json
suricata | 2/12/2018 -- 02:58:06 - <Info> - Going to log the md5 sum of email body
suricata | 2/12/2018 -- 02:58:06 - <Info> - Going to log the md5 sum of email subject
suricata | 2/12/2018 -- 02:58:06 - <Info> - Going to use 24 thread(s)
suricata | 2/12/2018 -- 02:58:06 - <Notice> - all 24 packet processing threads, 2 management threads initialized, engine started.
suricata | 2/12/2018 -- 02:58:06 - <Info> - Using BPF 'not (host sicherheitstacho.eu or community.sicherheitstacho.eu) and not (host archive.ubuntu.com or security.ubuntu.com) and not (host index.docker.io or docker.io)' on iface 'enp7s0f0'
suricata | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
suricata | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "not (host sicherheitstacho.eu or community.sicherheitstacho.eu) and not (host archive.ubuntu.com or security.ubuntu.com) and not (host index.docker.io or docker.io)" failed.
suricata | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
suricata | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-enp7s0f0 failed
</pre>
The following is the af-packet section of /etc/suricata/suricata.yaml
<pre>
# Linux high speed capture support
af-packet:
- interface: enp7s0f1
# Number of receive threads. "auto" uses the number of cores
#threads: auto
# Default clusterid. AF_PACKET will load balance packets based on flow.
cluster-id: 99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_round_robin: round robin load balancing
# * cluster_flow: all packets of a given flow are send to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
# * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
# socket. Requires at least Linux 3.14.
# * cluster_random: packets are sent randomly to sockets but with an equipartition.
# Requires at least Linux 3.14.
# * cluster_rollover: kernel rotates between sockets filling each socket before moving
# to the next. Requires at least Linux 3.10.
# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
# with capture card using RSS (require cpu affinity tuning and system irq tuning)
cluster-type: cluster_flow
# In some fragmentation case, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
# After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
# full then kernel will send the packet on the next socket with room available. This option
# can minimize packet drop and increase the treated bandwidth on single intensive flow.
#rollover: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
#use-mmap: yes
# Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
# your system
#mmap-locked: yes
# Use experimental tpacket_v3 capture mode, only active if use-mmap is true
#tpacket-v3: yes
# Ring size will be computed with respect to max_pending_packets and number
# of threads. You can set manually the ring size in number of packets by setting
# the following value. If you are using flow cluster-type and have really network
# intensive single-flow you could want to set the ring-size independently of the number
# of threads:
#ring-size: 2048
# Block size is used by tpacket_v3 only. It should set to a value high enough to contain
# a decent number of packets. Size is in bytes so please consider your MTU. It should be
# a power of 2 and it must be multiple of page size (usually 4096).
#block-size: 32768
# tpacket_v3 block timeout: an open block is passed to userspace if it is not
# filled after block-timeout milliseconds.
#block-timeout: 10
# On busy system, this could help to set it to yes to recover from a packet drop
# phase. This will result in some packets (at max a ring flush) being non treated.
#use-emergency-flush: yes
# recv buffer size, increase value could improve performance
# buffer-size: 32768
# Set to yes to disable promiscuous mode
# disable-promisc: no
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - kernel: use indication sent by kernel for each packet (default)
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used.
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
# BPF filter to apply to this interface. The pcap filter syntax apply here.
#bpf-filter: port 80 or udp
# You can use the following variables to activate AF_PACKET tap or IPS mode.
# If copy-mode is set to ips or tap, the traffic coming to the current
# interface will be copied to the copy-iface interface. If 'tap' is set, the
# copy is complete. If 'ips' is set, the packet matching a 'drop' action
# will not be copied.
#copy-mode: ips
#copy-iface: eth1
# Put default values here. These will be used for an interface that is not
# in the list above.
- interface: default
#threads: auto
#use-mmap: no
#rollover: yes
#tpacket-v3: yes
</pre>