Project

General

Profile

Actions

Feature #1940

closed

Debian Jessie - better message when trying to run 2 suricata with afpacket

Added by Peter Manev about 8 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Using - 3.2dev (rev 5dc9c1b) and Debian Jessie - when there is already a running Suricata and a second one is started -

/usr/bin/suricata -c /etc/suricata/suricata.yaml -S test.rules  --af-packet

It results in a misleading message:

[16487] 28/10/2016 -- 16:40:08 - (runmode-af-packet.c:404) <Notice> (ParseAFPConfig) -- fanout not supported on this system, falling back to 1 capture thread
[16487] 28/10/2016 -- 16:40:08 - (tm-threads.c:2098) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.


Files


Related issues 1 (1 open0 closed)

Related to Suricata - Optimization #1595: Suricata starts in known conditions of no dataNewOISF DevActions
Actions #1

Updated by Eric Leblond about 8 years ago

Fix should be implemented by https://github.com/regit/suricata/commit/ed22ba202beec77cb5416702caa0cb21d77767d7. Can you feedback on this ?

Actions #2

Updated by Victor Julien about 8 years ago

  • Target version changed from 3.2rc1 to TBD
Actions #3

Updated by Peter Manev about 8 years ago

With the provided fix there is no misleading message but no hit at what could be the reason either:

/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet  -v
[12182] 29/11/2016 -- 10:34:16 - (suricata.c:1005) <Notice> (SCPrintVersion) -- This is Suricata version 3.2dev (rev ed22ba2)
[12182] 29/11/2016 -- 10:34:16 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[12182] 29/11/2016 -- 10:34:16 - (app-layer-dnp3.c:1603) <Warning> (RegisterDNP3Parsers) -- [ERRCODE: SC_ERR_DNP3_CONFIG(290)] - No DNP3 configuration found, enabling DNP3 detection on port 20000
[12182] 29/11/2016 -- 10:34:16 - (app-layer-dnp3.c:1618) <Info> (RegisterDNP3Parsers) -- Registering DNP3/tcp parsers.
[12182] 29/11/2016 -- 10:34:16 - (util-ioctl.c:105) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'wlan0'
[12182] 29/11/2016 -- 10:34:16 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[12182] 29/11/2016 -- 10:34:19 - (detect.c:507) <Info> (SigLoadSignatures) -- 39 rule files processed. 12689 rules successfully loaded, 0 rules failed
[12182] 29/11/2016 -- 10:34:19 - (detect.c:3502) <Info> (SigAddressPrepareStage1) -- 12697 signatures processed. 1180 are IP-only rules, 5135 are inspecting packet payload, 8004 inspect application layer, 0 are decoder event only
[12182] 29/11/2016 -- 10:34:20 - (util-threshold-config.c:1188) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[12182] 29/11/2016 -- 10:34:20 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[12182] 29/11/2016 -- 10:34:20 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[12182] 29/11/2016 -- 10:34:20 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[12182] 29/11/2016 -- 10:34:20 - (util-runmodes.c:285) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[12182] 29/11/2016 -- 10:34:20 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[12182] 29/11/2016 -- 10:34:20 - (tm-threads.c:2098) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
[12183] 29/11/2016 -- 10:34:20 - (source-af-packet.c:476) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.

It is definitely better than before in my view - but it seems the msg - https://github.com/regit/suricata/commit/ed22ba202beec77cb5416702caa0cb21d77767d7#diff-e77389f2d8111b800388ad83c1ca6b73R404 does not kick in ?

Actions #4

Updated by Eric Leblond over 6 years ago

  • Subject changed from Debian Jessie - better mesage when trying to run 2 suricata with afpacket to Debian Jessie - better message when trying to run 2 suricata with afpacket
Actions #5

Updated by Andreas Herz over 5 years ago

Is this still an issue?

Actions #6

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Feedback
Actions #7

Updated by Peter Manev over 5 years ago

The message is the same as before but it is better than the original reported here.Tested on Buster/Bullseye with latest master.

Actions #8

Updated by Victor Julien over 5 years ago

Peter can you paste the output of your latest test?

Actions #9

Updated by Peter Manev over 5 years ago

Please see attached.
The start line was the same in both screens -

sudo /opt/suritest/bin/suricata -i eno1

Actions #10

Updated by Victor Julien over 5 years ago

Please copy paste the output in the future Peter.

So it says 'fanout not supported by kernel: Invalid argument'. This doesn't sound useful at all. I would suggest expanding it to something like:

'fanout not supported by kernel: Invalid argument. Kernel too old or cluster-id XX already in use'

Actions #11

Updated by Peter Manev over 5 years ago

Yes - sorry about that -

[4338] 31/5/2019 -- 11:12:16 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data": 5
[4338] 31/5/2019 -- 11:12:21 - (source-af-packet.c:2002) <Perf> (AFPIsFanoutSupported) -- fanout not supported by kernel: Invalid argument
[4338] 31/5/2019 -- 11:12:21 - (runmode-af-packet.c:643) <Config> (ParseAFPConfig) -- eno1: enabling zero copy mode by using data release call
[4338] 31/5/2019 -- 11:12:21 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[4338] 31/5/2019 -- 11:12:21 - (flow-manager.c:815) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads
[4338] 31/5/2019 -- 11:12:21 - (flow-manager.c:976) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
[4338] 31/5/2019 -- 11:12:21 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[4338] 31/5/2019 -- 11:12:21 - (unix-manager.c:131) <Info> (UnixNew) -- Using unix socket file '/opt/suritest/var/run/suricata/suricata-command.socket'
[4338] 31/5/2019 -- 11:12:21 - (tm-threads.c:2157) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
[4340] 31/5/2019 -- 11:12:21 - (source-af-packet.c:1752) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=103 frame_size=1584 frame_nr=2060
[4340] 31/5/2019 -- 11:12:21 - (source-af-packet.c:509) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.

It is better than prior to the fix but maybe could also use/add "ERRCODE/Warning" stanza msg as currently it does not really jump out.

Actions #12

Updated by Victor Julien over 5 years ago

Actions #13

Updated by Victor Julien over 5 years ago

The relevant message from the above is

[4338] 31/5/2019 -- 11:12:21 - (source-af-packet.c:2002) <Perf> (AFPIsFanoutSupported) -- fanout not supported by kernel: Invalid argument

Actions #14

Updated by Victor Julien over 5 years ago

  • Status changed from Feedback to Assigned
  • Assignee changed from Eric Leblond to Shivani Bhardwaj
  • Target version changed from TBD to 5.0.0

The goal is to get a clearer error/warning message.

Actions #15

Updated by Shivani Bhardwaj about 5 years ago

  • Priority changed from Normal to Urgent
Actions #16

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to Closed
  • Priority changed from Urgent to Normal
Actions

Also available in: Atom PDF