Feature #1445
closedSuricata does not work on pfSense/FreeBSD interfaces using PPPoE
Description
I've searched the issues database and can't find where anyone has logged a bug regarding this issue which has been discussed for sometime on the pfSense forums.
It appears that Suricata does not work on interfaces with PPPoE enabled on pfSense (and possibly any FreeBSD based OS). The system logs are filled with the following error if Suricata is enabled on a PPPoE:
Jun 26 09:09:04 suricata[20617]: 26/6/2014 -- 09:09:04 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Please see following pfSense forum posts for some previous discussion on the issue:
https://forum.pfsense.org/index.php?topic=73906.msg411752#msg411752
https://forum.pfsense.org/index.php?topic=84529.0
https://forum.pfsense.org/index.php?topic=75780.msg451515#msg451515
As far as I can tell PPPoE should be supported but isn't working in this case, hence the Bug Report. If this is intentional, please convert this to a Feature request.
Files
Updated by Victor Julien over 9 years ago
Could you attach a small pcap captured on this interface?
Updated by Greg Siemon over 9 years ago
Packet capture attached using pfSense's Packet Capture option on the WAN interface with the NIC set to promiscuous mode. This is on a clean Suricata installation. I setup a WAN interface in Suricata and enabled it. No changes to the default configuration otherwise. Please let me know if this isn't what you wanted.
Updated by Greg Siemon over 9 years ago
I should also add that the Suricata logs were full of the errors above during the packet capture. They started as soon as Suricata was enabled on the WAN interface.
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap 13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap 13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap 13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap 13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap 13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap 13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap 13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap 13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap 13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Updated by Victor Julien over 9 years ago
- Tracker changed from Bug to Feature
Thanks, will have a patch to test soon.
Updated by Victor Julien over 9 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 2.1beta4
Could you test this patch/branch/pull request? https://github.com/inliniac/suricata/pull/1416
Updated by Greg Siemon over 9 years ago
I worked with the Suricata package maintainer to test this. He ported the patch back into 2.06, which is the latest available version for pfSense. The patched 2.06 release seems to work and the logs no longer contain any of the SC_ERR_DATALINK_UNIMPLEMENTED errors and it seems to be inspecting packets correctly. Please mark as fixed and consider porting back into the 2.0x releases as well as the 2.1 beta.
Updated by Victor Julien over 9 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Merged https://github.com/inliniac/suricata/pull/1416 into the master (2.1) branch. Will let it sit there for a while before considering a backport to 2.0.