Multiple interfaces on the same machine

Hi there. I have implemented a suricata solution in one interface. That interface is a mirrored WAN port. So all the traffic that i see is to the internet.

I want to monitor my internal traffic as well. Is it possible to add another interface on the suricata.yaml?

yes, you can write a second interface section like this:

af-packet:
  - interface: eth0
   <snip options>
   -interface: eth1
1 Like

Thanks. Imagining if the new interface is a mirred trunk port with all my VLANs.

Do i have to do something special or just define my networks on the yaml?

Just define the network in the yaml in the HOME_NET section, you might want to check the vlan use-for-tracking option and set it to yes.

Hello,

I need to implement two interfaces (bond0 and bond1).

RHEL 8.4
Suricata 6.0.3

I need to edit two files (/etc/sysconfig/suricata and/etc/suricata/suricata.yaml).

In “/etc/sysconfig/suricata” I have:
OPTIONS = “- i bond0 -i bond1”

In “/etc/suricata/suricata.yaml” I have:

# Linux high speed capture support
af-packet:
  - interface: bond0
  - interface: bond1
    # Number of receive threads. "auto" uses the number of cores
    #threads: auto
    # Default clusterid. AF_PACKET will load balance packets based on flow.
    cluster-id: 99
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
    # possible value are:
    #  * cluster_flow: all packets of a given flow are sent to the same socket
    #  * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
    #  socket. Requires at least Linux 3.14.
    #  * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
    #  more info.
    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
    # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
    cluster-type: cluster_flow
    # In some fragmentation cases, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: yes
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    use-mmap: yes
    # Lock memory map to avoid it being swapped. Be careful that over
    # subscribing could lock your system
    #mmap-locked: yes
    # Use tpacket_v3 capture mode, only active if use-mmap is true
    # Don't use it in IPS or TAP mode as it causes severe latency
    tpacket-v3: yes
    # Ring size will be computed with respect to "max-pending-packets" and number
    # of threads. You can set manually the ring size in number of packets by setting
    # the following value. If you are using flow "cluster-type" and have really network
    # intensive single-flow you may want to set the "ring-size" independently of the number
    # of threads:
    #ring-size: 2048
    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
    # a decent number of packets. Size is in bytes so please consider your MTU. It should be
    # a power of 2 and it must be multiple of page size (usually 4096).
    #block-size: 32768
    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
    # filled after block-timeout milliseconds.
    #block-timeout: 10
    # On busy systems, set it to yes to help recover from a packet drop
    # phase. This will result in some packets (at max a ring flush) not being inspected.
    #use-emergency-flush: yes
    # recv buffer size, increased value could improve performance
    # buffer-size: 32768
    # Set to yes to disable promiscuous mode
    # disable-promisc: no
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may have an invalid checksum due to
    # the checksum computation being offloaded to the network card.
    # Possible values are:
    #  - kernel: use indication sent by kernel for each packet (default)
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: Suricata uses a statistical approach to detect when
    #  checksum off-loading is used.
    # Warning: 'capture.checksum-validation' must be set to yes to have any validation
    #checksum-checks: kernel
    # BPF filter to apply to this interface. The pcap filter syntax applies here.
    #bpf-filter: port 80 or udp
    # You can use the following variables to activate AF_PACKET tap or IPS mode.
    # If copy-mode is set to ips or tap, the traffic coming to the current
    # interface will be copied to the copy-iface interface. If 'tap' is set, the
    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
    # will not be copied.
    #copy-mode: ips
    #copy-iface: eth1
    #  For eBPF and XDP setup including bypass, filter and load balancing, please
    #  see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.

  # Put default values here. These will be used for an interface that is not
  # in the list above.
  - interface: default
    #threads: auto
    use-mmap: yes
    tpacket-v3: yes

It is right?

Thank you for your help

Michael

Change /etc/sysconfig/suricata – the option you want is --af-packet

The suricata.yaml file should change. Each interface should have it’s own options; minimally, the cluster-id should be unique for each interface.

This example is from our documentation at suricata.readthedocs.io You can use defaults for most of the options but make sure cluster-id is unique for all interfaces; you can comment out (or remove) the items you don’t need.

- interface: eth1
  # Number of receive threads. "auto" uses the number of cores
  threads: 18
  cluster-id: 99
  cluster-type: cluster_qm
  defrag: no
  use-mmap: yes
  mmap-locked: yes
  tpacket-v3: yes
  ring-size: 100000
  block-size: 1048576
- interface: eth1
  # Number of receive threads. "auto" uses the number of cores
  threads: 18
  cluster-id: 99
  cluster-type: cluster_qm
  defrag: no
  use-mmap: yes
  mmap-locked: yes
  tpacket-v3: yes
  ring-size: 100000
  block-size: 1048576

Hello Jeff and Team!

Is there anyway of confirming what interfaces Suricata is listening on?

I also have a bonded interface on Ubuntu 20.0.04 composing of two interfaces and therefore have my configuration such as:

af-packet:
  - interface: bond0
   <snip options>
   cluster-id: 99
   -interface: eno1np0
   <snip options>
   cluster-id: 98
   -interface: eno1np0
   <snip options>
   cluster-id: 97

Where <snip options> have the same defaults for all interfaces apart from a unique cluster-id.

Thanks for your help in advance! TYIA!

You can check the output of the suricata.log and also use suricatasc to get interface specific stats with iface-stat bond0 and so on.

Thanks so much @Andreas_Herz !

I read up the docs about this Python script and followed pre-requisites via:

https://manpages.ubuntu.com/manpages/bionic/man1/suricatasc.1.html
https://suricata.readthedocs.io/en/suricata-6.0.0/unix-socket.html

Ensuring I had python-simplejson installed etc.

I also changed my /etc/suricata.suricata.yaml config from “AUTO” to “YES” and again restarted Suricata process.

# Unix command socket that can be used to pass commands to Suricata.
# An external tool can then connect to get information from Suricata
# or trigger some modifications of the engine. Set enabled to yes
# to activate the feature. In auto mode, the feature will only be
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
unix-command:
  enabled: yes
  #filename: custom.socket

# cat /var/log/suricata/suricata.log | grep "Using unix socket file"
19/10/2022 -- 03:58:36 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 04:01:10 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 15:33:16 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'

# ls -halt /var/run/suricata/suricata-command.socket
srw-rw---- 1 root root 0 Oct 19 15:33 /var/run/suricata/suricata-command.socket

When I try to invoke the Python script, I always yield the error:

# sudo suricatasc /var/run/suricata/suricata-command.socket
Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 111] Connection refused

If I run systemctl status suricata, I do not see any mention of Unix socket and not sure if this is related.

# systemctl status suricata
â—Ź suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (running) since Wed 2022-10-19 15:33:00 UTC; 5s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 12429 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 462579)
     Memory: 386.5M
     CGroup: /system.slice/suricata.service
             └─12446 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv

Oct 19 15:33:00 <HOSTNAME> systemd[1]: Starting LSB: Next Generation IDS/IPS...
Oct 19 15:33:00 <HOSTNAME> suricata[12429]: Likely stale PID 8303 with /var/run/suricata.pid exists, but process is not run>
Oct 19 15:33:00 <HOSTNAME> suricata[12429]: Removing stale PID file /var/run/suricata.pid
Oct 19 15:33:00 <HOSTNAME> suricata[12429]: Starting suricata in IDS (af-packet) mode... done.
Oct 19 15:33:00 <HOSTNAME> systemd[1]: Started LSB: Next Generation IDS/IPS.

Am I missing something here? Apologies in advance if so.

In the meantime, I will have a look through /var/log/suricata/suricata.log for any related information about interface statistics which is a hefty file

The config option etc. look correct. So hard to tell why the connection is refused, is there anything in the log related to that?

Also paste suricata --build-info an in general how did you install suricata?

Thanks again, glad to know I am not doing anything wrong!!

Very strange, I have this installed on a physical box:

NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"

This is Suricata version 6.0.8 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 9.4.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.41, linked against LibHTP v0.5.41

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         yes
  hiredis async with libevent:             yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  GeoIP2 support:                          yes
  Non-bundled htp:                         yes
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes
  HTTP2 decompression:                     no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.59.0
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.59.0
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     yes
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: yes
  CFLAGS                                   -g -O2 -fdebug-prefix-map=/build/suricata-mag2Rg/suricata-6.0.8=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

I followed the docs at * Installation guides for Ubuntu.

I have a very similar setup on a different server on "Ubuntu 20.04.4 LTS" and sudo suricatasc /var/run/suricata/suricata-command.socket works with no issues.

Nothing in the /var/log/suricata/suricata.log either :frowning:

Update:
Apologies, forgot to mention I used this reference for deployment as an initial guide:

Hey @Andreas_Herz … Extremely confused,

18/10/2022 -- 19:52:05 - <Info> - All AFP capture threads are running.
19/10/2022 -- 00:00:34 - <Notice> - Signal Received.  Stopping engine.
19/10/2022 -- 00:00:35 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
19/10/2022 -- 00:00:35 - <Info> - time elapsed 14914.397s
19/10/2022 -- 00:00:35 - <Perf> - 21 flows processed
19/10/2022 -- 00:00:36 - <Perf> - (W#01-bond0) Kernel: Packets 0, dropped 0
..
19/10/2022 -- 00:00:40 - <Info> - Alerts: 5
19/10/2022 -- 00:00:40 - <Perf> - ippair memory usage: 414144 bytes, maximum: 16777216
19/10/2022 -- 00:00:41 - <Perf> - host memory usage: 398144 bytes, maximum: 33554432
19/10/2022 -- 00:00:41 - <Info> - cleaning up signature grouping structure... complete
19/10/2022 -- 00:00:41 - <Notice> - Stats for 'bond0':  pkts: 221, drop: 0 (0.00%), invalid chksum: 0
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring gro offloading
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring tso offloading
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring gso offloading
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring sg offloading
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring lro offloading
19/10/2022 -- 00:00:41 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'bond0': Invalid argument (22)
19/10/2022 -- 00:00:41 - <Perf> - Cleaning up Hyperscan global scratch
19/10/2022 -- 00:00:41 - <Perf> - Clearing Hyperscan database cache
19/10/2022 -- 00:00:42 - <Notice> - This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
..
19/10/2022 -- 00:00:42 - <Info> - CPUs/cores online: 80
19/10/2022 -- 00:00:42 - <Config> - Adding interface bond0 from config file
19/10/2022 -- 00:00:42 - <Config> - luajit states preallocated: 128
19/10/2022 -- 00:00:42 - <Config> - app-layer.error-policy: ignore
19/10/2022 -- 00:00:42 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33868 and 'request-body-inspect-window' set to 3931 after randomization.
19/10/2022 -- 00:00:42 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 40121 and 'response-body-inspect-window' set to 16474 after randomization.
19/10/2022 -- 00:00:42 - <Config> - SMB stream depth: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-read-size: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-write-size: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-write-queue-size: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-write-queue-cnt: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-read-queue-size: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-read-queue-cnt: 0
19/10/2022 -- 00:00:42 - <Config> - Protocol detection and parser disabled for modbus protocol.
19/10/2022 -- 00:00:42 - <Config> - Protocol detection and parser disabled for enip protocol.
19/10/2022 -- 00:00:42 - <Config> - Protocol detection and parser disabled for DNP3.
19/10/2022 -- 00:00:42 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
..
19/10/2022 -- 00:00:42 - <Info> - Found an MTU of 1500 for 'bond0'
19/10/2022 -- 00:00:42 - <Info> - Found an MTU of 1500 for 'bond0'
19/10/2022 -- 00:00:42 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
19/10/2022 -- 00:00:42 - <Config> - preallocated 1000 hosts of size 136
19/10/2022 -- 00:00:42 - <Config> - host memory usage: 398144 bytes, maximum: 33554432
19/10/2022 -- 00:00:42 - <Config> - Core dump size set to unlimited.
19/10/2022 -- 00:00:42 - <Config> - defrag.memcap-policy: ignore
..
19/10/2022 -- 03:29:54 - <Perf> - bond0: disabling sg offloading
19/10/2022 -- 03:29:54 - <Config> - bond0: enabling zero copy mode by using data release call
19/10/2022 -- 03:29:54 - <Info> - Going to use 80 thread(s)
19/10/2022 -- 03:29:55 - <Config> - using 1 flow manager threads
19/10/2022 -- 03:29:55 - <Config> - using 1 flow recycler threads
19/10/2022 -- 03:29:55 - <Info> - Running in live mode, activating unix socket
19/10/2022 -- 03:29:55 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 03:29:55 - <Notice> - all 80 packet processing threads, 4 management threads initialized, engine started.
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Info> - All AFP capture threads are running.
19/10/2022 -- 03:36:54 - <Notice> - Signal Received.  Stopping engine.
19/10/2022 -- 03:36:55 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
19/10/2022 -- 03:36:55 - <Info> - time elapsed 420.791s
19/10/2022 -- 03:36:55 - <Perf> - 0 flows processed
..
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
..
19/10/2022 -- 03:37:18 - <Info> - Running in live mode, activating unix socket
19/10/2022 -- 03:37:18 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#31-eno1np0" failed to initialize: flags 0145
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...
19/10/2022 -- 03:41:29 - <Notice> - This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
19/10/2022 -- 03:41:29 - <Info> - CPUs/cores online: 80
19/10/2022 -- 03:41:29 - <Config> - Adding interface bond0 from config file
19/10/2022 -- 03:41:29 - <Config> - Adding interface eno1np0 from config file
19/10/2022 -- 03:41:29 - <Config> - Adding interface eno2np0 from config file
19/10/2022 -- 03:41:29 - <Config> - luajit states preallocated: 128
19/10/2022 -- 03:41:29 - <Config> - app-layer.error-policy: ignore
19/10/2022 -- 03:41:29 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32202 and 'request-body-inspect-window' set to 3980 after randomization.
19/10/2022 -- 03:41:29 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 42427 and 'response-body-inspect-window' set to 15704 after randomization
..
19/10/2022 -- 15:33:16 - <Config> - using 1 flow manager threads
19/10/2022 -- 15:33:16 - <Config> - using 1 flow recycler threads
19/10/2022 -- 15:33:16 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 15:33:16 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#31-eno1np0" failed to initialize: flags 0145
19/10/2022 -- 15:33:16 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...
at /etc/suricata/suricata.yaml | grep bond0 -A 50 -B 5
## and PF_RING.
##

# Linux high speed capture support
af-packet:
  - interface: bond0
    # Number of receive threads. "auto" uses the number of cores
    #threads: auto
    # Default clusterid. AF_PACKET will load balance packets based on flow.
    cluster-id: 99
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
    # possible value are:
    #  * cluster_flow: all packets of a given flow are sent to the same socket
    #  * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
    #  socket. Requires at least Linux 3.14.
    #  * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
    #  more info.
    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
    # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
    cluster-type: cluster_flow
    # In some fragmentation cases, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: yes
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    #use-mmap: yes
    # Lock memory map to avoid it being swapped. Be careful that over
    # subscribing could lock your system
    #mmap-locked: yes
    # Use tpacket_v3 capture mode, only active if use-mmap is true
    # Don't use it in IPS or TAP mode as it causes severe latency
    #tpacket-v3: yes
    # Ring size will be computed with respect to "max-pending-packets" and number
    # of threads. You can set manually the ring size in number of packets by setting
    # the following value. If you are using flow "cluster-type" and have really network
    # intensive single-flow you may want to set the "ring-size" independently of the number
    # of threads:
    #ring-size: 2048
    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
    # a decent number of packets. Size is in bytes so please consider your MTU. It should be
    # a power of 2 and it must be multiple of page size (usually 4096).
    #block-size: 32768
    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
    # filled after block-timeout milliseconds.
    #block-timeout: 10
    # On busy systems, set it to yes to help recover from a packet drop
    # phase. This will result in some packets (at max a ring flush) not being inspected.
    #use-emergency-flush: yes
    # recv buffer size, increased value could improve performance
    # buffer-size: 32768
    # Set to yes to disable promiscuous mode
    # disable-promisc: no
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may have an invalid checksum due to
    # the checksum computation being offloaded to the network card.
--
    #copy-iface: eth1
    #  For eBPF and XDP setup including bypass, filter and load balancing, please
    #  see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.

  - interface: eno1np0
    # Adding additional interface eno1np0 which is part of bond0 interface ($ ip link show)
    # Number of receive threads. "auto" uses the number of cores
    #threads: auto
    # Default clusterid. AF_PACKET will load balance packets based on flow.
    cluster-id: 98
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
    # possible value are:
    #  * cluster_flow: all packets of a given flow are sent to the same socket
    #  * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
    #  socket. Requires at least Linux 3.14.
    #  * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
    #  more info.
    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
    # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
    cluster-type: cluster_flow
    # In some fragmentation cases, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: yes
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    #use-mmap: yes
    # Lock memory map to avoid it being swapped. Be careful that over
    # subscribing could lock your system
    #mmap-locked: yes
    # Use tpacket_v3 capture mode, only active if use-mmap is true
    # Don't use it in IPS or TAP mode as it causes severe latency
    #tpacket-v3: yes
    # Ring size will be computed with respect to "max-pending-packets" and number
    # of threads. You can set manually the ring size in number of packets by setting
    # the following value. If you are using flow "cluster-type" and have really network
    # intensive single-flow you may want to set the "ring-size" independently of the number
    # of threads:
    #ring-size: 2048
    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
    # a decent number of packets. Size is in bytes so please consider your MTU. It should be
    # a power of 2 and it must be multiple of page size (usually 4096).
    #block-size: 32768
    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
    # filled after block-timeout milliseconds.
    #block-timeout: 10
    # On busy systems, set it to yes to help recover from a packet drop
    # phase. This will result in some packets (at max a ring flush) not being inspected.
    #use-emergency-flush: yes
    # recv buffer size, increased value could improve performance
    # buffer-size: 32768
    # Set to yes to disable promiscuous mode
    # disable-promisc: no
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may have an invalid checksum due to
    # the checksum computation being offloaded to the network card.
--
    #copy-iface: eth1
    #  For eBPF and XDP setup including bypass, filter and load balancing, please
    #  see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.

  - interface: eno2np0
    # Adding additional interface eno2np0 which is part of bond0 interface ($ ip link show)
    # Number of receive threads. "auto" uses the number of cores
    #threads: auto
    # Default clusterid. AF_PACKET will load balance packets based on flow.
    cluster-id: 97
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
    # possible value are:
    #  * cluster_flow: all packets of a given flow are sent to the same socket
    #  * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
    #  socket. Requires at least Linux 3.14.
    #  * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
    #  more info.
    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
    # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
    cluster-type: cluster_flow
    # In some fragmentation cases, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: yes
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    #use-mmap: yes
    # Lock memory map to avoid it being swapped. Be careful that over
    # subscribing could lock your system
    #mmap-locked: yes
    # Use tpacket_v3 capture mode, only active if use-mmap is true
    # Don't use it in IPS or TAP mode as it causes severe latency
    #tpacket-v3: yes
    # Ring size will be computed with respect to "max-pending-packets" and number
    # of threads. You can set manually the ring size in number of packets by setting
    # the following value. If you are using flow "cluster-type" and have really network
    # intensive single-flow you may want to set the "ring-size" independently of the number
    # of threads:
    #ring-size: 2048
    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
    # a decent number of packets. Size is in bytes so please consider your MTU. It should be
    # a power of 2 and it must be multiple of page size (usually 4096).
    #block-size: 32768
    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
    # filled after block-timeout milliseconds.
    #block-timeout: 10
    # On busy systems, set it to yes to help recover from a packet drop
    # phase. This will result in some packets (at max a ring flush) not being inspected.
    #use-emergency-flush: yes
    # recv buffer size, increased value could improve performance
    # buffer-size: 32768
    # Set to yes to disable promiscuous mode
    # disable-promisc: no
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may have an invalid checksum due to
    # the checksum computation being offloaded to the network card.
..

Do I need to amend some config somewhere? This does seem to be related IMO
It doesn’t seem to be supporting/picking up multiple interfaces from the config file by looking at the logs.

OR, does the format need to be like in the config file: (separating the - interface with af-packet segment?)

**af-packet:**
  - interface: bond0
   <snip options>
   cluster-id: 99
**af-packet:**
   -interface: eno1np0
   <snip options>
   cluster-id: 98
**af-packet:**
   -interface: eno1np0
   <snip options>
   cluster-id: 97

TYIA!

Please accept my sincere apologies, please ignore my portion of above comment relating to tertiary-defined interface eno2np0… this was an extremely dumb typo of the interface eno2np1 and is no longer an issue.

Hello,
Apologies, but I managed to remediate the issue! :slight_smile:

# Linux high speed capture support
af-packet:
  - interface: bond0
    # Number of receive threads. "auto" uses the number of cores
    threads: 20
20/10/2022 -- 22:12:44 - <Notice> - all 60 packet processing threads, 4 management threads initialized, engine started.
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Info> - All AFP capture threads are running.

I allocated (as per example config above) 20 cores to each interface (3 x 30 = 60 out of 80) as it looks like they were overlapping and causing the issue

This has also fixed suricatasc, thanks for all your help!! :facepunch:

suricatasc /var/run/suricata/suricata-command.socket
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, dataset-add, dataset-remove, iface-stat, iface-list, iface-bypassed-stat, ebpf-bypassed-stat, quit
>>>