Feature #2774
closed
pcap multi dev support for Windows
Added by Peter Manev almost 6 years ago.
Updated over 5 years ago.
Description
Using our Suricata msi pkg on 2016 Win server
C:\Program Files\Suricata>
C:\Program Files\Suricata>
C:\Program Files\Suricata>suricata.exe -c suricata.yaml -i 10.0.2.15 -i 192.168.56.101 -vvv
16/1/2019 -- 09:50:40 - <Info> - Running as service: no
16/1/2019 -- 09:50:40 - <Info> - translated 10.0.2.15 to pcap device \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}
16/1/2019 -- 09:50:40 - <Info> - translated 192.168.56.101 to pcap device \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}
16/1/2019 -- 09:50:40 - <Error> - [ERRCODE: SC_ERR_PCAP_MULTI_DEV_NO_SUPPORT(178)] - pcap multi dev support is not (yet) supported on Windows.
C:\Program Files\Suricata>suricata.exe -V
16/1/2019 -- 09:51:24 - <Info> - Running as service: no
This is Suricata version 4.1.2 RELEASE
C:\Program Files\Suricata>
If you define it as part of the pcap configuration inside suricata.yaml it works thought:
# Cross platform libpcap capture support
pcap:
#- interface: eth0
# On Linux, pcap will try to use mmaped capture and will use buffer-size
# as total of memory used by the ring. So set this to something bigger
# than 1% of your bandwidth.
#buffer-size: 16777216
#bpf-filter: "tcp and port 25"
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# With some accelerator cards using a modified libpcap (like myricom), you
# may want to have the same number of capture threads as the number of capture
# rings. In this case, set up the threads variable to N to start N threads
# listening on the same interface.
#threads: 16
# set to no to disable promiscuous mode:
#promisc: no
# set snaplen, if not set it defaults to MTU if MTU can be known
# via ioctl call and to full capture if not.
#snaplen: 1518
- interface: \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}
- interface: \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}
# Put default values here
- interface: default
#checksum-checks: auto
C:\Program Files\Suricata>suricata.exe -c suricata.yaml --pcap -vvv
16/1/2019 -- 09:58:18 - <Info> - Running as service: no
16/1/2019 -- 09:58:18 - <Notice> - This is Suricata version 4.1.2 RELEASE
16/1/2019 -- 09:58:18 - <Info> - CPUs/cores online: 2
16/1/2019 -- 09:58:18 - <Config> - Adding interface \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F} from config file
16/1/2019 -- 09:58:18 - <Config> - Adding interface \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779} from config file
16/1/2019 -- 09:58:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31753 and 'request-body-inspect-window' set to 4236 after randomization.
...
...
16/1/2019 -- 09:58:22 - <Config> - AutoFP mode using "Hash" flow load balancer
16/1/2019 -- 09:58:22 - <Info> - Using 2 live device(s).
16/1/2019 -- 09:58:22 - <Info> - using interface \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}
16/1/2019 -- 09:58:22 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
16/1/2019 -- 09:58:22 - <Info> - Found an MTU of 1500 for '\Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}'
16/1/2019 -- 09:58:22 - <Info> - Set snaplen to 1524 for '\Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}'
16/1/2019 -- 09:58:22 - <Perf> - NIC offloading on \Device\NPF_{D53813F6-9382-4292-93A0-DA131DA66D9F}: Checksum IPv4 Rx: 0 Tx: 0 IPv6 Rx: 0 Tx: 0 LSOv1 IPv4: 0 LSOv2 IPv4: 0 IPv6: 0
16/1/2019 -- 09:58:22 - <Info> - using interface \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}
16/1/2019 -- 09:58:22 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - COM CoInitializeSecurity failed: 0x80010119
16/1/2019 -- 09:58:22 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
16/1/2019 -- 09:58:22 - <Info> - Found an MTU of 1500 for '\Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}'
16/1/2019 -- 09:58:22 - <Info> - Set snaplen to 1524 for '\Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}'
16/1/2019 -- 09:58:22 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on \Device\NPF_{1B62EC1C-C38A-43E7-B178-09CBDC76A779}: Checksum IPv4 Rx: 1 Tx: 1 IPv6 Rx: 0 Tx: 0 LSOv1 IPv4: 1 LSOv2 IPv4: 0 IPv6: 0
16/1/2019 -- 09:58:22 - <Info> - RunModeIdsPcapAutoFp initialised
16/1/2019 -- 09:58:22 - <Config> - using 1 flow manager threads
16/1/2019 -- 09:58:22 - <Config> - using 1 flow recycler threads
16/1/2019 -- 09:58:23 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
- Subject changed from pcap multi dev support is for Windows to pcap multi dev support for Windows
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 4.1.3
- Copied to Feature #2820: pcap multi dev support for Windows (5.0.x) added
- Status changed from Assigned to Closed
Also available in: Atom
PDF