ERROR: Pcap file does not exist

Hi,

Today after i restart my server and run as usual command:

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml -r -&

I found my suricata 4.1.10 cannot start, i try to search around and try with:

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r /dev/stdin

Its running but its suddently stop, the log is:
9/10/2021 – 23:40:10 - - This is Suricata version 4.1.10 RELEASE
9/10/2021 – 23:40:10 - - CPUs/cores online: 4
9/10/2021 – 23:40:10 - - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from ‘decoder..’ to ‘decoder.event..’. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
9/10/2021 – 23:40:10 - - fast output device (regular) initialized: fast.log
9/10/2021 – 23:40:10 - - Using log dir /var/log/suricata/
9/10/2021 – 23:40:10 - - Selected pcap-log compression method: none
9/10/2021 – 23:40:10 - - using normal logging
9/10/2021 – 23:40:10 - - stats output device (regular) initialized: stats.log
9/10/2021 – 23:40:16 - - 55 rule files processed. 37041 rules successfully loaded, 0 rules failed
9/10/2021 – 23:40:16 - - Threshold config parsed: 0 rule(s) found
9/10/2021 – 23:40:18 - - 37044 signatures processed. 634 are IP-only rules, 3961 are inspecting packet payload, 33645 inspect application layer, 0 are decoder event only
9/10/2021 – 23:40:57 - - Checking file or directory /dev/stdin
9/10/2021 – 23:40:57 - - Argument /dev/stdin was a directory
9/10/2021 – 23:40:57 - - Initializing PCAP ring buffer for /var/log/suricata//log.pcap.
9/10/2021 – 23:40:57 - - Ring buffer initialized with 0 files.
9/10/2021 – 23:40:57 - - all 5 packet processing threads, 4 management threads initialized, engine started.
9/10/2021 – 23:40:57 - - Starting directory run for /dev/stdin
9/10/2021 – 23:40:57 - - Processing pcaps directory /dev/stdin, files must be newer than 0 and older than 18446744073709550616
9/10/2021 – 23:40:57 - - Directory run mode complete
9/10/2021 – 23:40:57 - - Signal Received. Stopping engine.
9/10/2021 – 23:40:57 - - time elapsed 0.135s
9/10/2021 – 23:40:57 - - Pcap-file module read 0 files, 0 packets, 0 bytes
9/10/2021 – 23:40:57 - - Alerts: 0
9/10/2021 – 23:40:58 - - cleaning up signature grouping structure… complete

Please help. What should i do ?

Hi and welcome to the community!

Suricata stopped because of a signal as indicated by the following message

I encourage you to update your Suricata deployment to a version such as 5.0.7 or 6.0.3 before we spend too much time trying to determine what might be happening.

The version you’re using has been end-of-lifed (and is no longer supported)

Hi Jeff,

Is there any issue too all my current rules if i upgrade to version 5 ? May i know how can i upgrade and if not mistaken i’m doing manual installation, is there any step i should follow ?

Please advice and thank you so much

Dear All,

I just upgrade to the latest suricata 6, but i still facing a same problem when i run command:

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r /dev/stdin
11/10/2021 – 05:39:17 - - This is Suricata version 6.0.3 RELEASE running in USER mode
11/10/2021 – 05:39:17 - - CPUs/cores online: 4
11/10/2021 – 05:39:17 - - fast output device (regular) initialized: fast.log
11/10/2021 – 05:39:17 - - Using log dir .
11/10/2021 – 05:39:17 - - Selected pcap-log compression method: none
11/10/2021 – 05:39:17 - - using normal logging
11/10/2021 – 05:39:17 - - stats output device (regular) initialized: stats.log
11/10/2021 – 05:39:22 - - 55 rule files processed. 37020 rules successfully loaded, 0 rules failed
11/10/2021 – 05:39:22 - - Threshold config parsed: 0 rule(s) found
11/10/2021 – 05:39:24 - - 37023 signatures processed. 613 are IP-only rules, 3960 are inspecting packet payload, 32443 inspect application layer, 0 are decoder event only
11/10/2021 – 05:40:51 - - Argument /dev/stdin was a directory
11/10/2021 – 05:40:51 - - Initializing PCAP ring buffer for ./log.pcap.
11/10/2021 – 05:40:51 - - Ring buffer initialized with 0 files.
11/10/2021 – 05:40:52 - - all 5 packet processing threads, 4 management threads initialized, engine started.
11/10/2021 – 05:40:52 - - Starting directory run for /dev/stdin
11/10/2021 – 05:40:52 - - Processing pcaps directory /dev/stdin, files must be newer than 0 and older than 18446744073709550616
11/10/2021 – 05:40:52 - - Directory run mode complete
11/10/2021 – 05:40:52 - - Signal Received. Stopping engine.
11/10/2021 – 05:40:52 - - time elapsed 0.731s
11/10/2021 – 05:40:52 - - Pcap-file module read 0 files, 0 packets, 0 bytes
11/10/2021 – 05:40:52 - - Alerts: 0
11/10/2021 – 05:40:53 - - cleaning up signature grouping structure… complete

I also modify suricata.yaml without load any rules, but its still the samething

Please help me. Thank you

Hi,

I just try running with different way withour ‘r’:

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -i enp2s4
11/10/2021 – 19:10:59 - - Including configuration file rules.yaml.
11/10/2021 – 19:10:59 - - This is Suricata version 6.0.3 RELEASE running in SYSTEM mode
11/10/2021 – 19:10:59 - - CPUs/cores online: 4
11/10/2021 – 19:10:59 - - Found an MTU of 1500 for ‘enp2s4’
11/10/2021 – 19:10:59 - - Found an MTU of 1500 for ‘enp2s4’
11/10/2021 – 19:10:59 - - fast output device (regular) initialized: fast.log
11/10/2021 – 19:10:59 - - Using log dir /var/log/suricata/
11/10/2021 – 19:10:59 - - Selected pcap-log compression method: none
11/10/2021 – 19:10:59 - - using normal logging
11/10/2021 – 19:10:59 - - stats output device (regular) initialized: stats.log
11/10/2021 – 19:10:59 - - Running in live mode, activating unix socket
11/10/2021 – 19:11:06 - - 55 rule files processed. 37021 rules successfully loaded, 0 rules failed
11/10/2021 – 19:11:06 - - Threshold config parsed: 0 rule(s) found
11/10/2021 – 19:11:10 - - 37024 signatures processed. 614 are IP-only rules, 3960 are inspecting packet payload, 32443 inspect application layer, 0 are decoder event only
11/10/2021 – 19:12:29 - - Going to use 4 ReceiveAFP receive thread(s)
11/10/2021 – 19:12:29 - - Initializing PCAP ring buffer for /var/log/suricata//log.pcap.
11/10/2021 – 19:12:29 - - Ring buffer initialized with 1 files.
11/10/2021 – 19:12:29 - - Running in live mode, activating unix socket
11/10/2021 – 19:12:29 - - Using unix socket file ‘/var/run/suricata/suricata-command.socket’
11/10/2021 – 19:12:29 - - all 8 packet processing threads, 4 management threads initialized, engine started.
11/10/2021 – 19:12:29 - - All AFP capture threads are running.

And no more ‘Signal Received. Stopping engine.’ But why it cant run with usual with ‘r’ ?

Please help. TQ

If with ‘r’:

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r -&
root@netmon [~]# 11/10/2021 – 19:18:42 - - [ERRCODE: SC_ERR_INITIALIZATION(45)] - ERROR: Pcap file does not exist

Please help me.

Below is my build info

This is Suricata version 6.0.3 RELEASE
Features: NFQ PCAP_SET_BUFF PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS TLS_GNU MAGIC RUST
SIMD support: SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-44), C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.38, linked against LibHTP v0.5.36

Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: yes
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled: yes
Detection enabled: yes

Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
GeoIP2 support: yes
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: no

Rust support: yes
Rust strict mode: no
Rust compiler path: /bin/rustc
Rust compiler version: rustc 1.55.0 (Red Hat 1.55.0-1.el7)
Cargo path: /bin/cargo
Cargo version: cargo 1.55.0
Cargo vendor: yes

Python support: yes
Python path: /usr/local/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes

Profiling enabled: no
Profiling locks enabled: no

Plugin support (experimental): yes

Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

–prefix /usr
–sysconfdir /etc
–localstatedir /var
–datarootdir /usr/share

Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -std=gnu99 -march=native -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS -I/usr/local/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

Please help.

Hi,

Suricata is terminating execution because it received “end of file” from /dev/stdin.

Try the following (corrected) commandline:

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode=autofp -v -r /dev/stdin

To confirm, do you see lines similar to these in the output?

[1822239] 11/10/2021 -- 08:03:39 - (source-pcap-file-helper.c:156) <Info> (PcapFileDispatch) -- pcap file /dev/stdin end of file reached (pcap err code 0)
[1822225] 11/10/2021 -- 08:03:39 - (suricata.c:2630) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.

Hi,

I try to execute that and the result:

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml --runmode=autofp -v -r /dev/stdin
11/10/2021 – 21:11:16 - - Including configuration file rules.yaml.
11/10/2021 – 21:11:16 - - This is Suricata version 6.0.3 RELEASE running in USER mode
11/10/2021 – 21:11:16 - - CPUs/cores online: 4
11/10/2021 – 21:11:16 - - fast output device (regular) initialized: fast.log
11/10/2021 – 21:11:16 - - Using log dir .
11/10/2021 – 21:11:16 - - Selected pcap-log compression method: none
11/10/2021 – 21:11:16 - - using normal logging
11/10/2021 – 21:11:16 - - stats output device (regular) initialized: stats.log
11/10/2021 – 21:11:21 - - 55 rule files processed. 37024 rules successfully loaded, 0 rules failed
11/10/2021 – 21:11:22 - - Threshold config parsed: 0 rule(s) found
11/10/2021 – 21:11:24 - - 37027 signatures processed. 617 are IP-only rules, 3960 are inspecting packet payload, 32443 inspect application layer, 0 are decoder event only
11/10/2021 – 21:12:41 - - Argument /dev/stdin was a directory
11/10/2021 – 21:12:41 - - Initializing PCAP ring buffer for ./log.pcap.
11/10/2021 – 21:12:41 - - Ring buffer initialized with 2 files.
11/10/2021 – 21:12:41 - - all 5 packet processing threads, 4 management threads initialized, engine started.
11/10/2021 – 21:12:41 - - Starting directory run for /dev/stdin
11/10/2021 – 21:12:41 - - Processing pcaps directory /dev/stdin, files must be newer than 0 and older than 18446744073709550616
11/10/2021 – 21:12:41 - - Directory run mode complete
11/10/2021 – 21:12:41 - - Signal Received. Stopping engine.
11/10/2021 – 21:12:41 - - time elapsed 0.153s
11/10/2021 – 21:12:41 - - Pcap-file module read 0 files, 0 packets, 0 bytes
11/10/2021 – 21:12:41 - - Alerts: 0
11/10/2021 – 21:12:42 - - cleaning up signature grouping structure… complete

Please help

Hi,

I realize its start happen after i reboot the server and before that i did run ‘yum update -y’, i didnt reboot and running yum update almost 2 years, you think the latest update of pcap is the cause ? My server is Centos 7

Please Help. TQ

Anyone ? Please help.

Can you validate the output of trafr? My understanding of the issue is that EOF is being returned to Suricata when reading from the input stream provided by trafr

Hi,

Can you tell me how to validate ? TQ

suricata is receiving EOF from /dev/stdin … that stream is expected to contain pcap data as supplied by trafr.

I’m not familiar with trafr but it should be sending data formatted as pcap for you.

As a temporary test – try cat /path/to/file.pcap instead of trafr