Seems parameters '--unix-socket' and '--af-apcket' are incompatible?

1

I’m trying to run Suricata (V6.0.9) as af-packet mode with following command:
/opt/suricata/bin/suricata --unix-socket --af-packet=eth0 -c /opt/suricata/etc/suricata/suricata.yaml
and got the error - [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(126)] - more than one run mode has been specified

But when I removed --unix-socket like
/opt/suricata/bin/suricata --af-packet=eth0 -c /opt/suricata/etc/suricata/suricata.yaml
or ran as PF_ring mode like
/opt/suricata/bin/suricata --unix-socket --pfring-int=eth0 -c /opt/suricata/etc/suricata/suricata.yaml, they both worked well

Does this mean --unix-socket and --af-apcket are incompatible? How to fix this?

Thank you in advance!

2

This can be a bit confusing. If you run --list-runmodes you see that there is also a UNIX_SOCKET runmode, while the -h output seems to relate to the suricatasc command.

I think we can improve on that, in the meantime I would suggest to set the unix socket in the suricata.yaml itself.

3

OK, thanks.

@ I think we can improve on that, in the meantime I would suggest to set the unix socket in the suricata.yaml itself.

Do you mean set like this in suricata.yaml?, this way can suricatasc work as normal? I have to use suricatasc to get all packets number in our project

unix-command:
    enabled: yes
    filename: custom.socket
4

yes you can use that and suricatasc should be able to connect to this, maybe you want to add the full path.
The packets can also be seen in the stats.log or stats event in the EVE json

1 Like