Feature #1445
closed
Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
Added by Greg Siemon over 9 years ago.
Updated over 9 years ago.
Description
I've searched the issues database and can't find where anyone has logged a bug regarding this issue which has been discussed for sometime on the pfSense forums.
It appears that Suricata does not work on interfaces with PPPoE enabled on pfSense (and possibly any FreeBSD based OS). The system logs are filled with the following error if Suricata is enabled on a PPPoE:
Jun 26 09:09:04 suricata[20617]: 26/6/2014 -- 09:09:04 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Please see following pfSense forum posts for some previous discussion on the issue:
https://forum.pfsense.org/index.php?topic=73906.msg411752#msg411752
https://forum.pfsense.org/index.php?topic=84529.0
https://forum.pfsense.org/index.php?topic=75780.msg451515#msg451515
As far as I can tell PPPoE should be supported but isn't working in this case, hence the Bug Report. If this is intentional, please convert this to a Feature request.
Files
Could you attach a small pcap captured on this interface?
Packet capture attached using pfSense's Packet Capture option on the WAN interface with the NIC set to promiscuous mode. This is on a clean Suricata installation. I setup a WAN interface in Suricata and enabled it. No changes to the default configuration otherwise. Please let me know if this isn't what you wanted.
I should also add that the Suricata logs were full of the errors above during the packet capture. They started as soon as Suricata was enabled on the WAN interface.
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
13/4/2015 -- 19:12:46 - <Error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
- Tracker changed from Bug to Feature
Thanks, will have a patch to test soon.
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 2.1beta4
I worked with the Suricata package maintainer to test this. He ported the patch back into 2.06, which is the latest available version for pfSense. The patched 2.06 release seems to work and the logs no longer contain any of the SC_ERR_DATALINK_UNIMPLEMENTED errors and it seems to be inspecting packets correctly. Please mark as fixed and consider porting back into the 2.0x releases as well as the 2.1 beta.
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Also available in: Atom
PDF