Hi there. I have implemented a suricata solution in one interface. That interface is a mirrored WAN port. So all the traffic that i see is to the internet.
I want to monitor my internal traffic as well. Is it possible to add another interface on the suricata.yaml?
yes, you can write a second interface section like this:
af-packet:
- interface: eth0
<snip options>
-interface: eth1
Thanks. Imagining if the new interface is a mirred trunk port with all my VLANs.
Do i have to do something special or just define my networks on the yaml?
Just define the network in the yaml in the HOME_NET section, you might want to check the vlan use-for-tracking option and set it to yes.
Hello,
I need to implement two interfaces (bond0 and bond1).
RHEL 8.4
Suricata 6.0.3
I need to edit two files (/etc/sysconfig/suricata and/etc/suricata/suricata.yaml).
In “/etc/sysconfig/suricata” I have:
OPTIONS = “- i bond0 -i bond1”
In “/etc/suricata/suricata.yaml” I have:
# Linux high speed capture support
af-packet:
- interface: bond0
- interface: bond1
# Number of receive threads. "auto" uses the number of cores
#threads: auto
# Default clusterid. AF_PACKET will load balance packets based on flow.
cluster-id: 99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_flow: all packets of a given flow are sent to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
# * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
# socket. Requires at least Linux 3.14.
# * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
# more info.
# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
# with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
cluster-type: cluster_flow
# In some fragmentation cases, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes
# Lock memory map to avoid it being swapped. Be careful that over
# subscribing could lock your system
#mmap-locked: yes
# Use tpacket_v3 capture mode, only active if use-mmap is true
# Don't use it in IPS or TAP mode as it causes severe latency
tpacket-v3: yes
# Ring size will be computed with respect to "max-pending-packets" and number
# of threads. You can set manually the ring size in number of packets by setting
# the following value. If you are using flow "cluster-type" and have really network
# intensive single-flow you may want to set the "ring-size" independently of the number
# of threads:
#ring-size: 2048
# Block size is used by tpacket_v3 only. It should set to a value high enough to contain
# a decent number of packets. Size is in bytes so please consider your MTU. It should be
# a power of 2 and it must be multiple of page size (usually 4096).
#block-size: 32768
# tpacket_v3 block timeout: an open block is passed to userspace if it is not
# filled after block-timeout milliseconds.
#block-timeout: 10
# On busy systems, set it to yes to help recover from a packet drop
# phase. This will result in some packets (at max a ring flush) not being inspected.
#use-emergency-flush: yes
# recv buffer size, increased value could improve performance
# buffer-size: 32768
# Set to yes to disable promiscuous mode
# disable-promisc: no
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may have an invalid checksum due to
# the checksum computation being offloaded to the network card.
# Possible values are:
# - kernel: use indication sent by kernel for each packet (default)
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: Suricata uses a statistical approach to detect when
# checksum off-loading is used.
# Warning: 'capture.checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
# BPF filter to apply to this interface. The pcap filter syntax applies here.
#bpf-filter: port 80 or udp
# You can use the following variables to activate AF_PACKET tap or IPS mode.
# If copy-mode is set to ips or tap, the traffic coming to the current
# interface will be copied to the copy-iface interface. If 'tap' is set, the
# copy is complete. If 'ips' is set, the packet matching a 'drop' action
# will not be copied.
#copy-mode: ips
#copy-iface: eth1
# For eBPF and XDP setup including bypass, filter and load balancing, please
# see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.
# Put default values here. These will be used for an interface that is not
# in the list above.
- interface: default
#threads: auto
use-mmap: yes
tpacket-v3: yes
It is right?
Thank you for your help
Michael
Change /etc/sysconfig/suricata – the option you want is --af-packet
The suricata.yaml file should change. Each interface should have it’s own options; minimally, the cluster-id should be unique for each interface.
This example is from our documentation at suricata.readthedocs.io You can use defaults for most of the options but make sure cluster-id is unique for all interfaces; you can comment out (or remove) the items you don’t need.
- interface: eth1
# Number of receive threads. "auto" uses the number of cores
threads: 18
cluster-id: 99
cluster-type: cluster_qm
defrag: no
use-mmap: yes
mmap-locked: yes
tpacket-v3: yes
ring-size: 100000
block-size: 1048576
- interface: eth1
# Number of receive threads. "auto" uses the number of cores
threads: 18
cluster-id: 99
cluster-type: cluster_qm
defrag: no
use-mmap: yes
mmap-locked: yes
tpacket-v3: yes
ring-size: 100000
block-size: 1048576
Hello Jeff and Team!
Is there anyway of confirming what interfaces Suricata is listening on?
I also have a bonded interface on Ubuntu 20.0.04 composing of two interfaces and therefore have my configuration such as:
af-packet:
- interface: bond0
<snip options>
cluster-id: 99
-interface: eno1np0
<snip options>
cluster-id: 98
-interface: eno1np0
<snip options>
cluster-id: 97
Where <snip options> have the same defaults for all interfaces apart from a unique cluster-id.
Thanks for your help in advance! TYIA!
You can check the output of the suricata.log and also use suricatasc to get interface specific stats with iface-stat bond0 and so on.
Thanks so much @Andreas_Herz !
I read up the docs about this Python script and followed pre-requisites via:
https://manpages.ubuntu.com/manpages/bionic/man1/suricatasc.1.html
https://suricata.readthedocs.io/en/suricata-6.0.0/unix-socket.html
Ensuring I had python-simplejson installed etc.
I also changed my /etc/suricata.suricata.yaml config from “AUTO” to “YES” and again restarted Suricata process.
# Unix command socket that can be used to pass commands to Suricata.
# An external tool can then connect to get information from Suricata
# or trigger some modifications of the engine. Set enabled to yes
# to activate the feature. In auto mode, the feature will only be
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
unix-command:
enabled: yes
#filename: custom.socket
# cat /var/log/suricata/suricata.log | grep "Using unix socket file"
19/10/2022 -- 03:58:36 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 04:01:10 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 15:33:16 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
# ls -halt /var/run/suricata/suricata-command.socket
srw-rw---- 1 root root 0 Oct 19 15:33 /var/run/suricata/suricata-command.socket
When I try to invoke the Python script, I always yield the error:
# sudo suricatasc /var/run/suricata/suricata-command.socket
Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 111] Connection refused
If I run systemctl status suricata, I do not see any mention of Unix socket and not sure if this is related.
# systemctl status suricata
● suricata.service - LSB: Next Generation IDS/IPS
Loaded: loaded (/etc/init.d/suricata; generated)
Active: active (running) since Wed 2022-10-19 15:33:00 UTC; 5s ago
Docs: man:systemd-sysv-generator(8)
Process: 12429 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 462579)
Memory: 386.5M
CGroup: /system.slice/suricata.service
└─12446 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
Oct 19 15:33:00 <HOSTNAME> systemd[1]: Starting LSB: Next Generation IDS/IPS...
Oct 19 15:33:00 <HOSTNAME> suricata[12429]: Likely stale PID 8303 with /var/run/suricata.pid exists, but process is not run>
Oct 19 15:33:00 <HOSTNAME> suricata[12429]: Removing stale PID file /var/run/suricata.pid
Oct 19 15:33:00 <HOSTNAME> suricata[12429]: Starting suricata in IDS (af-packet) mode... done.
Oct 19 15:33:00 <HOSTNAME> systemd[1]: Started LSB: Next Generation IDS/IPS.
Am I missing something here? Apologies in advance if so.
In the meantime, I will have a look through /var/log/suricata/suricata.log for any related information about interface statistics which is a hefty file
The config option etc. look correct. So hard to tell why the connection is refused, is there anything in the log related to that?
Also paste suricata --build-info an in general how did you install suricata?
Thanks again, glad to know I am not doing anything wrong!!
Very strange, I have this installed on a physical box:
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
This is Suricata version 6.0.8 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 9.4.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.41, linked against LibHTP v0.5.41
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
Non-bundled htp: yes
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.59.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.59.0
Cargo vendor: yes
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fdebug-prefix-map=/build/suricata-mag2Rg/suricata-6.0.8=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
I followed the docs at * Installation guides for Ubuntu.
I have a very similar setup on a different server on "Ubuntu 20.04.4 LTS" and sudo suricatasc /var/run/suricata/suricata-command.socket works with no issues.
Nothing in the /var/log/suricata/suricata.log either 
Update:
Apologies, forgot to mention I used this reference for deployment as an initial guide:
Hey @Andreas_Herz … Extremely confused,
18/10/2022 -- 19:52:05 - <Info> - All AFP capture threads are running.
19/10/2022 -- 00:00:34 - <Notice> - Signal Received. Stopping engine.
19/10/2022 -- 00:00:35 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
19/10/2022 -- 00:00:35 - <Info> - time elapsed 14914.397s
19/10/2022 -- 00:00:35 - <Perf> - 21 flows processed
19/10/2022 -- 00:00:36 - <Perf> - (W#01-bond0) Kernel: Packets 0, dropped 0
..
19/10/2022 -- 00:00:40 - <Info> - Alerts: 5
19/10/2022 -- 00:00:40 - <Perf> - ippair memory usage: 414144 bytes, maximum: 16777216
19/10/2022 -- 00:00:41 - <Perf> - host memory usage: 398144 bytes, maximum: 33554432
19/10/2022 -- 00:00:41 - <Info> - cleaning up signature grouping structure... complete
19/10/2022 -- 00:00:41 - <Notice> - Stats for 'bond0': pkts: 221, drop: 0 (0.00%), invalid chksum: 0
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring gro offloading
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring tso offloading
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring gso offloading
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring sg offloading
19/10/2022 -- 00:00:41 - <Perf> - bond0: restoring lro offloading
19/10/2022 -- 00:00:41 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'bond0': Invalid argument (22)
19/10/2022 -- 00:00:41 - <Perf> - Cleaning up Hyperscan global scratch
19/10/2022 -- 00:00:41 - <Perf> - Clearing Hyperscan database cache
19/10/2022 -- 00:00:42 - <Notice> - This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
..
19/10/2022 -- 00:00:42 - <Info> - CPUs/cores online: 80
19/10/2022 -- 00:00:42 - <Config> - Adding interface bond0 from config file
19/10/2022 -- 00:00:42 - <Config> - luajit states preallocated: 128
19/10/2022 -- 00:00:42 - <Config> - app-layer.error-policy: ignore
19/10/2022 -- 00:00:42 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33868 and 'request-body-inspect-window' set to 3931 after randomization.
19/10/2022 -- 00:00:42 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 40121 and 'response-body-inspect-window' set to 16474 after randomization.
19/10/2022 -- 00:00:42 - <Config> - SMB stream depth: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-read-size: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-write-size: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-write-queue-size: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-write-queue-cnt: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-read-queue-size: 0
19/10/2022 -- 00:00:42 - <Config> - SMB max-read-queue-cnt: 0
19/10/2022 -- 00:00:42 - <Config> - Protocol detection and parser disabled for modbus protocol.
19/10/2022 -- 00:00:42 - <Config> - Protocol detection and parser disabled for enip protocol.
19/10/2022 -- 00:00:42 - <Config> - Protocol detection and parser disabled for DNP3.
19/10/2022 -- 00:00:42 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
..
19/10/2022 -- 00:00:42 - <Info> - Found an MTU of 1500 for 'bond0'
19/10/2022 -- 00:00:42 - <Info> - Found an MTU of 1500 for 'bond0'
19/10/2022 -- 00:00:42 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
19/10/2022 -- 00:00:42 - <Config> - preallocated 1000 hosts of size 136
19/10/2022 -- 00:00:42 - <Config> - host memory usage: 398144 bytes, maximum: 33554432
19/10/2022 -- 00:00:42 - <Config> - Core dump size set to unlimited.
19/10/2022 -- 00:00:42 - <Config> - defrag.memcap-policy: ignore
..
19/10/2022 -- 03:29:54 - <Perf> - bond0: disabling sg offloading
19/10/2022 -- 03:29:54 - <Config> - bond0: enabling zero copy mode by using data release call
19/10/2022 -- 03:29:54 - <Info> - Going to use 80 thread(s)
19/10/2022 -- 03:29:55 - <Config> - using 1 flow manager threads
19/10/2022 -- 03:29:55 - <Config> - using 1 flow recycler threads
19/10/2022 -- 03:29:55 - <Info> - Running in live mode, activating unix socket
19/10/2022 -- 03:29:55 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 03:29:55 - <Notice> - all 80 packet processing threads, 4 management threads initialized, engine started.
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:55 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:56 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:57 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:58 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=2 frame_size=1600 frame_nr=40
19/10/2022 -- 03:29:59 - <Info> - All AFP capture threads are running.
19/10/2022 -- 03:36:54 - <Notice> - Signal Received. Stopping engine.
19/10/2022 -- 03:36:55 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
19/10/2022 -- 03:36:55 - <Info> - time elapsed 420.791s
19/10/2022 -- 03:36:55 - <Perf> - 0 flows processed
..
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
..
19/10/2022 -- 03:37:18 - <Info> - Running in live mode, activating unix socket
19/10/2022 -- 03:37:18 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#31-eno1np0" failed to initialize: flags 0145
19/10/2022 -- 03:37:18 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...
19/10/2022 -- 03:41:29 - <Notice> - This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
19/10/2022 -- 03:41:29 - <Info> - CPUs/cores online: 80
19/10/2022 -- 03:41:29 - <Config> - Adding interface bond0 from config file
19/10/2022 -- 03:41:29 - <Config> - Adding interface eno1np0 from config file
19/10/2022 -- 03:41:29 - <Config> - Adding interface eno2np0 from config file
19/10/2022 -- 03:41:29 - <Config> - luajit states preallocated: 128
19/10/2022 -- 03:41:29 - <Config> - app-layer.error-policy: ignore
19/10/2022 -- 03:41:29 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32202 and 'request-body-inspect-window' set to 3980 after randomization.
19/10/2022 -- 03:41:29 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 42427 and 'response-body-inspect-window' set to 15704 after randomization
..
19/10/2022 -- 15:33:16 - <Config> - using 1 flow manager threads
19/10/2022 -- 15:33:16 - <Config> - using 1 flow recycler threads
19/10/2022 -- 15:33:16 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/10/2022 -- 15:33:16 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#31-eno1np0" failed to initialize: flags 0145
19/10/2022 -- 15:33:16 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...
at /etc/suricata/suricata.yaml | grep bond0 -A 50 -B 5
## and PF_RING.
##
# Linux high speed capture support
af-packet:
- interface: bond0
# Number of receive threads. "auto" uses the number of cores
#threads: auto
# Default clusterid. AF_PACKET will load balance packets based on flow.
cluster-id: 99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_flow: all packets of a given flow are sent to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
# * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
# socket. Requires at least Linux 3.14.
# * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
# more info.
# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
# with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
cluster-type: cluster_flow
# In some fragmentation cases, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
#use-mmap: yes
# Lock memory map to avoid it being swapped. Be careful that over
# subscribing could lock your system
#mmap-locked: yes
# Use tpacket_v3 capture mode, only active if use-mmap is true
# Don't use it in IPS or TAP mode as it causes severe latency
#tpacket-v3: yes
# Ring size will be computed with respect to "max-pending-packets" and number
# of threads. You can set manually the ring size in number of packets by setting
# the following value. If you are using flow "cluster-type" and have really network
# intensive single-flow you may want to set the "ring-size" independently of the number
# of threads:
#ring-size: 2048
# Block size is used by tpacket_v3 only. It should set to a value high enough to contain
# a decent number of packets. Size is in bytes so please consider your MTU. It should be
# a power of 2 and it must be multiple of page size (usually 4096).
#block-size: 32768
# tpacket_v3 block timeout: an open block is passed to userspace if it is not
# filled after block-timeout milliseconds.
#block-timeout: 10
# On busy systems, set it to yes to help recover from a packet drop
# phase. This will result in some packets (at max a ring flush) not being inspected.
#use-emergency-flush: yes
# recv buffer size, increased value could improve performance
# buffer-size: 32768
# Set to yes to disable promiscuous mode
# disable-promisc: no
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may have an invalid checksum due to
# the checksum computation being offloaded to the network card.
--
#copy-iface: eth1
# For eBPF and XDP setup including bypass, filter and load balancing, please
# see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.
- interface: eno1np0
# Adding additional interface eno1np0 which is part of bond0 interface ($ ip link show)
# Number of receive threads. "auto" uses the number of cores
#threads: auto
# Default clusterid. AF_PACKET will load balance packets based on flow.
cluster-id: 98
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_flow: all packets of a given flow are sent to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
# * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
# socket. Requires at least Linux 3.14.
# * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
# more info.
# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
# with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
cluster-type: cluster_flow
# In some fragmentation cases, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
#use-mmap: yes
# Lock memory map to avoid it being swapped. Be careful that over
# subscribing could lock your system
#mmap-locked: yes
# Use tpacket_v3 capture mode, only active if use-mmap is true
# Don't use it in IPS or TAP mode as it causes severe latency
#tpacket-v3: yes
# Ring size will be computed with respect to "max-pending-packets" and number
# of threads. You can set manually the ring size in number of packets by setting
# the following value. If you are using flow "cluster-type" and have really network
# intensive single-flow you may want to set the "ring-size" independently of the number
# of threads:
#ring-size: 2048
# Block size is used by tpacket_v3 only. It should set to a value high enough to contain
# a decent number of packets. Size is in bytes so please consider your MTU. It should be
# a power of 2 and it must be multiple of page size (usually 4096).
#block-size: 32768
# tpacket_v3 block timeout: an open block is passed to userspace if it is not
# filled after block-timeout milliseconds.
#block-timeout: 10
# On busy systems, set it to yes to help recover from a packet drop
# phase. This will result in some packets (at max a ring flush) not being inspected.
#use-emergency-flush: yes
# recv buffer size, increased value could improve performance
# buffer-size: 32768
# Set to yes to disable promiscuous mode
# disable-promisc: no
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may have an invalid checksum due to
# the checksum computation being offloaded to the network card.
--
#copy-iface: eth1
# For eBPF and XDP setup including bypass, filter and load balancing, please
# see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.
- interface: eno2np0
# Adding additional interface eno2np0 which is part of bond0 interface ($ ip link show)
# Number of receive threads. "auto" uses the number of cores
#threads: auto
# Default clusterid. AF_PACKET will load balance packets based on flow.
cluster-id: 97
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_flow: all packets of a given flow are sent to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
# * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
# socket. Requires at least Linux 3.14.
# * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
# more info.
# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
# with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
cluster-type: cluster_flow
# In some fragmentation cases, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
#use-mmap: yes
# Lock memory map to avoid it being swapped. Be careful that over
# subscribing could lock your system
#mmap-locked: yes
# Use tpacket_v3 capture mode, only active if use-mmap is true
# Don't use it in IPS or TAP mode as it causes severe latency
#tpacket-v3: yes
# Ring size will be computed with respect to "max-pending-packets" and number
# of threads. You can set manually the ring size in number of packets by setting
# the following value. If you are using flow "cluster-type" and have really network
# intensive single-flow you may want to set the "ring-size" independently of the number
# of threads:
#ring-size: 2048
# Block size is used by tpacket_v3 only. It should set to a value high enough to contain
# a decent number of packets. Size is in bytes so please consider your MTU. It should be
# a power of 2 and it must be multiple of page size (usually 4096).
#block-size: 32768
# tpacket_v3 block timeout: an open block is passed to userspace if it is not
# filled after block-timeout milliseconds.
#block-timeout: 10
# On busy systems, set it to yes to help recover from a packet drop
# phase. This will result in some packets (at max a ring flush) not being inspected.
#use-emergency-flush: yes
# recv buffer size, increased value could improve performance
# buffer-size: 32768
# Set to yes to disable promiscuous mode
# disable-promisc: no
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may have an invalid checksum due to
# the checksum computation being offloaded to the network card.
..
Do I need to amend some config somewhere? This does seem to be related IMO
It doesn’t seem to be supporting/picking up multiple interfaces from the config file by looking at the logs.
OR, does the format need to be like in the config file: (separating the - interface with af-packet segment?)
**af-packet:**
- interface: bond0
<snip options>
cluster-id: 99
**af-packet:**
-interface: eno1np0
<snip options>
cluster-id: 98
**af-packet:**
-interface: eno1np0
<snip options>
cluster-id: 97
TYIA!
Please accept my sincere apologies, please ignore my portion of above comment relating to tertiary-defined interface eno2np0… this was an extremely dumb typo of the interface eno2np1 and is no longer an issue.
Hello,
Apologies, but I managed to remediate the issue! 
# Linux high speed capture support
af-packet:
- interface: bond0
# Number of receive threads. "auto" uses the number of cores
threads: 20
20/10/2022 -- 22:12:44 - <Notice> - all 60 packet processing threads, 4 management threads initialized, engine started.
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:44 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:45 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:46 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
20/10/2022 -- 22:12:47 - <Info> - All AFP capture threads are running.
I allocated (as per example config above) 20 cores to each interface (3 x 30 = 60 out of 80) as it looks like they were overlapping and causing the issue
This has also fixed suricatasc, thanks for all your help!! 
suricatasc /var/run/suricata/suricata-command.socket
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, dataset-add, dataset-remove, iface-stat, iface-list, iface-bypassed-stat, ebpf-bypassed-stat, quit
>>>