Af-packet: Some IPS capture threads did not peer

Please include the following information with your help request:

  • suricata 8.0.0
  • ubuntu 23.11 and kernel version : 6.5.0-41-generic
  • How you installed Suricata (from source, packages, something else)

i’ve this problem,i configured correctly ,and i’m on vmware workstation, could you help me ?

see the logs:

sudo cat  /etc/systemd/system/suricata.service 
Description=Suricata IDS/IPS service

ExecStart=/usr/bin/suricata/suricata -c /etc/suricata/suricata.yaml --engine-analysis -i ens33
ExecReload=/bin/kill -HUP $MAINPID

alexandre@alexandre-m:~/Documents/suricata$ sudo cat  /usr/var/log/suricata/suricata_error.log 
Error: af-packet: thread number not equal [AFPPeersListCheck:source-af-packet.c:482]
Error: af-packet: Some IPS capture threads did not peer. [RunModeIdsAFPWorkers:runmode-af-packet.c:841]
  - interface: ens33
    # Number of receive threads. "auto" uses the number of cores
    threads: auto
    # Default clusterid. AF_PACKET will load balance packets based on flow.
    cluster-id: 99
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
    # possible value are:
    #  * cluster_flow: all packets of a given flow are sent to the same socket
    #  * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
    #  socket. Requires at least Linux 3.14.
    #  * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
    #  more info.
    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
    # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
    # cluster_rollover has been deprecated; if used, it'll be replaced with cluster_flow.
    cluster-type: cluster_flow
    # In some fragmentation cases, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: yes
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    use-mmap: yes
    # Lock memory map to avoid it being swapped. Be careful that over
    # subscribing could lock your system
    #mmap-locked: yes
    # Use tpacket_v3 capture mode, only active if use-mmap is true
    # Don't use it in IPS or TAP mode as it causes severe latency
    #tpacket-v3: yes
    # Ring size will be computed with respect to "max-pending-packets" and number
    # of threads. You can set manually the ring size in number of packets by setting
    # the following value. If you are using flow "cluster-type" and have really network
    # intensive single-flow you may want to set the "ring-size" independently of the number
    # of threads:
    ring-size: 2048
    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
    # a decent number of packets. Size is in bytes so please consider your MTU. It should be
    # a power of 2 and it must be multiple of page size (usually 4096).
    #block-size: 32768
    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
    # filled after block-timeout milliseconds.
    #block-timeout: 10
    # On busy systems, set it to yes to help recover from a packet drop
    # phase. This will result in some packets (at max a ring flush) not being inspected.
    use-emergency-flush: yes
    # recv buffer size, increased value could improve performance
    buffer-size: 32768
    # Set to yes to disable promiscuous mode
    # disable-promisc: no
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may have an invalid checksum due to
    # the checksum computation being offloaded to the network card.
    # Possible values are:
    #  - kernel: use indication sent by kernel for each packet (default)
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: Suricata uses a statistical approach to detect when
    #  checksum off-loading is used.
    # Warning: 'capture.checksum-validation' must be set to yes to have any validation
    #checksum-checks: kernel
    # BPF filter to apply to this interface. The pcap filter syntax applies here.
    #bpf-filter: port 80 or udp
    # You can use the following variables to activate AF_PACKET tap or IPS mode.
    # If copy-mode is set to ips or tap, the traffic coming to the current
    # interface will be copied to the copy-iface interface. If 'tap' is set, the
    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
    # will not be copied.
    copy-mode: ips
    copy-iface: lo
    #  For eBPF and XDP setup including bypass, filter and load balancing, please
    #  see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.

  # Put default values here. These will be used for an interface that is not
  # in the list above.
  #- interface: ens33
   # threads: 2
    #use-mmap: yes
    #tpacket-v3: yes
    #checksum-checks: auto

As I’ve seen from your other post, it seems like you figured it out - copy-iface is severely misconfigured - it contains lo and doesn’t have its’ own configuration node

now it’s :

  - interface: ens33
    threads: 8
    defrag: yes 
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: ens37
    buffer-size: 64535
    use-mmap: yes
  - interface: ens37
    threads: 8
    cluster-id: 97  
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: ens33
    buffer-size: 64535 
    use-mmap: yes