ERRCODE: SC_ERR_INVALID_VALUE(130)] - Failed to compile BPF

Help
1

Hi,
i am using suricata-5.0.4 version with pf_ring , when i increase the thread in suricata.yaml file and start suricata i am getting below error

4/5/2021 – 09:54:23 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Failed to compile BPF “>> /var/log/ez-suricata-run.log 2>&1”
4/5/2021 – 09:54:23 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Failed to compile BPF “>> /var/log/ez-suricata-run.log 2>&1”
4/5/2021 – 09:54:23 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Failed to compile BPF “>> /var/log/ez-suricata-run.log 2>&1”
4/5/2021 – 09:54:23 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Failed to compile BPF “>> /var/log/ez-suricata-run.log 2>&1”
4/5/2021 – 09:54:23 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Failed to compile BPF “>> /var/log/ez-suricata-run.log 2>&1”
4/5/2021 – 09:54:23 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Failed to compile BPF “>> /var/log/ez-suricata-run.log 2>&1”

suricata.yaml

pfring:

  • interface: eth0
    threads: 8
    cluster-id: 88
    cluster-type: cluster_flow

my service file
/usr/bin/suricata --pfring-int=eth0 --pfring-cluster-id=88 --pfring-cluster-type=cluster_flow -c /opt/etc/suricata/suricata.yaml

Linux version
Static hostname: <>
Icon name: computer-server
Chassis: server
Machine ID: <>
Boot ID: <>
Operating System: Ubuntu 18.04.5 LTS
Kernel: Linux 5.4.0-72-generic
Architecture: x86-64

2

Can you post the PF Ring configuration section from your suricata.yaml file?

For reference only, here’s the default pfring configuration for Suricata 7-ish:

# PF_RING configuration: for use with native PF_RING support
# for more info see http://www.ntop.org/products/pf_ring/
pfring:
  - interface: eth0
    # Number of receive threads. If set to 'auto' Suricata will first try
    # to use CPU (core) count and otherwise RSS queue count.
    threads: auto

    # Default clusterid.  PF_RING will load balance packets based on flow.
    # All threads/processes that will participate need to have the same
    # clusterid.
    cluster-id: 99

    # Default PF_RING cluster type. PF_RING can load balance per flow.
    # Possible values are cluster_flow or cluster_round_robin.
    cluster-type: cluster_flow

    # bpf filter for this interface
    #bpf-filter: tcp

    # If bypass is set then the PF_RING hw bypass is activated, when supported
    # by the network interface. Suricata will instruct the interface to bypass
    # all future packets for a flow that need to be bypassed.
    #bypass: yes

    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may have an invalid checksum due to
    # the checksum computation being offloaded to the network card.
    # Possible values are:
    #  - rxonly: only compute checksum for packets received by network card.
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: Suricata uses a statistical approach to detect when
    #  checksum off-loading is used. (default)
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: auto
  # Second interface
  #- interface: eth1
  #  threads: 3
  #  cluster-id: 93
  #  cluster-type: cluster_flow
  # Put default values here
  - interface: default
    #threads: 2