Af-packet keeps trying to find interface eth0. I specified a different one already

Hi Everyone,

New user here. Following the Setup Guide. Using Fedora 40.

Suricata says in its logs:
af-packet: eth0: unable to find af-packet config for interface “eth0” or “default”, using default values
[4049 - Suricata-Main] 2024-08-25 05:18:52 Error: af-packet: eth0: failed to find interface type: No such device
[4049 - Suricata-Main] 2024-08-25 05:18:52 Info: runmodes: eth0: creating 12 threads
[4049 - Suricata-Main] 2024-08-25 05:18:52 Info: unix-manager: unix socket ‘/var/run/suricata/suricata-command.socket’
[4055 - W#01-eth0] 2024-08-25 05:18:52 Error: af-packet: eth0: failed to find interface: No such device
[4055 - W#01-eth0] 2024-08-25 05:18:52 Error: af-packet: eth0: failed to init socket for interface
[4049 - Suricata-Main] 2024-08-25 05:18:52 Error: threads: thread “W#01-eth0” failed to start: flags 0423

But, I have already specified the interface is enp2s0 in the af-packet section. The service starts, but I don’t get the ‘engine started’ as it says in the Guide. And I am just getting the above. Where is it finding this eth0, somewhere else in the yaml ?

I have also tried changing every mention of eth0 in the entire yaml, but then the service does not start.

There are 2 mentions of ‘interface’ in the af-packet section, a) originally says eth0, so I changed that. And the b) says default. I left it at that and the service starts, but I get the same errors about eth0. So I changed the b) to ‘enp2s0’ also, And the service starts correctly again; but getting the same errors. Where is this ‘default’ defined? It is not in the vars section. Is it hard coded in suricata ?

Or maybe is ‘enp2s0’ not a valid interface in suricata’s books for a ‘valid interface name’ ? I got my interface name from doing ‘ip addr’ as the guide says to do.

Thanks for the help.

Hi,

What command line is being used to start Suricata?

Can you post the af-packet snippet from the Suricata configuration file suricata.yaml?

Hi,

I just use ‘systemctl restart suricata.service’ to run suricata.

Here is the af-packet section:
af-packet:

  • interface: enp2s0

    Number of receive threads. “auto” uses the number of cores

    #threads: auto

    Default clusterid. AF_PACKET will load balance packets based on flow.

    cluster-id: 99

    Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.

    This is only supported for Linux kernel > 3.1

    possible value are:

    * cluster_flow: all packets of a given flow are sent to the same socket

    * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket

    * cluster_qm: all packets linked by network card to a RSS queue are sent to the same

    socket. Requires at least Linux 3.14.

    * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for

    more info.

    Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system

    with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)

    cluster_rollover has been deprecated; if used, it’ll be replaced with cluster_flow.

    cluster-type: cluster_flow

    In some fragmentation cases, the hash can not be computed. If “defrag” is set

    to yes, the kernel will do the needed defragmentation before sending the packets.

    defrag: yes

    To use the ring feature of AF_PACKET, set ‘use-mmap’ to yes

    #use-mmap: yes

    Lock memory map to avoid it being swapped. Be careful that over

    subscribing could lock your system

    #mmap-locked: yes

    Use tpacket_v3 capture mode, only active if use-mmap is true

    Don’t use it in IPS or TAP mode as it causes severe latency

    #tpacket-v3: yes

    Ring size will be computed with respect to “max-pending-packets” and number

    of threads. You can set manually the ring size in number of packets by setting

    the following value. If you are using flow “cluster-type” and have really network

    intensive single-flow you may want to set the “ring-size” independently of the number

    of threads:

    #ring-size: 2048

    Block size is used by tpacket_v3 only. It should set to a value high enough to contain

    a decent number of packets. Size is in bytes so please consider your MTU. It should be

    a power of 2 and it must be multiple of page size (usually 4096).

    #block-size: 32768

    tpacket_v3 block timeout: an open block is passed to userspace if it is not

    filled after block-timeout milliseconds.

    #block-timeout: 10

    On busy systems, set it to yes to help recover from a packet drop

    phase. This will result in some packets (at max a ring flush) not being inspected.

    #use-emergency-flush: yes

    recv buffer size, increased value could improve performance

    buffer-size: 32768

    Set to yes to disable promiscuous mode

    disable-promisc: no

    Choose checksum verification mode for the interface. At the moment

    of the capture, some packets may have an invalid checksum due to

    the checksum computation being offloaded to the network card.

    Possible values are:

    - kernel: use indication sent by kernel for each packet (default)

    - yes: checksum validation is forced

    - no: checksum validation is disabled

    - auto: Suricata uses a statistical approach to detect when

    checksum off-loading is used.

    Warning: ‘capture.checksum-validation’ must be set to yes to have any validation

    #checksum-checks: kernel

    BPF filter to apply to this interface. The pcap filter syntax applies here.

    #bpf-filter: port 80 or udp

    You can use the following variables to activate AF_PACKET tap or IPS mode.

    If copy-mode is set to ips or tap, the traffic coming to the current

    interface will be copied to the copy-iface interface. If ‘tap’ is set, the

    copy is complete. If ‘ips’ is set, the packet matching a ‘drop’ action

    will not be copied.

###!
copy-mode: ips
#copy-iface: eth1
# For eBPF and XDP setup including bypass, filter and load balancing, please
# see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.

Put default values here. These will be used for an interface that is not

in the list above.

###! - interface: default

  • interface: enp2s0
    #threads: auto
    #use-mmap: no
    #tpacket-v3: yes

Are you using the RPM? If so, you should edit /etc/sysconfig/suricata, by default -i eth0 is in there and that will override the configuration file. You could change that to your interface or simply change it to --af-packet, then the af-packet section of the configuration will be used.

This is lightly mentioned here, 3. Installation — Suricata 7.0.6 documentation, but could probably be called out better.

Thanks Jason, It is now working. I modified /etc/sysconfig/suricata, This info should Definitely should be moved to the Install Guide section.