BTW, testing on Suricata was very helpful in finding a couple of minor bugs in our TLS mirror. Now the SSL mirror is completely transparent to Suricata’s TCP stream decoder.
We use dummy0 for replaying packets locally because dummy0 can be set to a large MTU of 65536 with no repercussions. This allows to capture packets from servers with large MTUs and pcap over TCP becomes more efficient for SSL mirroring.
I am able to get it to work with:
suricata -k none -c /etc/suricata/suricata.yaml --pcap=dummy0
but if set the config to:
pcap:
interface: dummy0
and completely comment out af-packet and then execute:
suricata -k none -c /etc/suricata/suricata.yaml -i dummy0
Seems like Suricata still tries to use af-packet and I get these errors:
11/3/2021 – 23:19:08 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
11/3/2021 – 23:19:08 - - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn’t init AF_PACKET socket, fatal error
11/3/2021 – 23:19:08 - - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-dummy0 failed
Ultimately, I would like to be able to do:
suricata -k none -c /etc/suricata/suricata.yaml -i eth2 -i dummy0
using AF packet or PF_RING for eth2 and pcap for dummy0
is there a way to do this?