Suricata 6.0.4: SURICATA STREAM pkt seen on wrong thread

I’m seeing [1:2210059:1] SURICATA STREAM pkt seen on wrong thread [**] [Classification: (null)] [Priority: 3].

I’ve read Support #2900: alert 'SURICATA STREAM pkt seen on wrong thread' when run mode set to workers - Suricata - Open Information Security Foundation, Optimization #2725: stream/packet on wrong thread - Suricata - Open Information Security Foundation, and Suricata packet seen on wrong thread but I’m not sure what they actually are saying, just that it doesn’t appear to be a “good” thing because packets can/are being missed.

Anyone able to give me any hints?

Setting the --runmode autofp CLI arg seems to have cleared the issue up!

So, according to the IRC, this still is an issue that should be investigated due to potential performance issues.

image794×43 2.52 KB

So, suggestions on what to check?

Can you share your config? Especially the interface capture part?

The rules could help to narrow down if there is something specific in the traffic that doesn’t work well with the capture method and packet balancing.

I’ve updated to 6.0.5 and removed the autofp runmode setting just to verify it was still an issue, and it is. It’s a stock yaml config with the exception of disabling the eve log and changing the 8-second stats.log timer to 5 minutes.

image1461×64 3.84 KB

root@nexus:/# uci show suricata
suricata.service=suricata
suricata.service.config_file='/etc/suricata/suricata.yaml'
suricata.service.logdir='/var/log/suricata'
suricata.service.pidfile='/var/log/suricata.pid'
suricata.service.rules_file='/var/lib/suricata/rules/suricata.rules'
suricata.service.queue='2' '9'
suricata.service.run_mode='autofp'
suricata.service.interface='br-lan'
suricata.service.verbose='0'
suricata.service.scan_mode='af-packet'
root@nexus:/#

root@nexus:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 2C:26:5F:00:00:00
          inet addr:192.168.1.205  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2e26:5fff:fe80:143c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8010552 errors:0 dropped:728 overruns:0 frame:0
          TX packets:5838 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8868617339 (8.2 GiB)  TX bytes:627757 (613.0 KiB)

eth0      Link encap:Ethernet  HWaddr 2C:26:5F:00:00:00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6362253 errors:0 dropped:358 overruns:0 frame:0
          TX packets:1753343 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8071647377 (7.5 GiB)  TX bytes:1056295788 (1007.3 MiB)

eth1      Link encap:Ethernet  HWaddr 2C:26:5F:00:00:00
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth2      Link encap:Ethernet  HWaddr 2C:26:5F:00:00:00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1750462 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6357964 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1063032192 (1013.7 MiB)  TX bytes:8042151543 (7.4 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1983 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1983 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:150670 (147.1 KiB)  TX bytes:150670 (147.1 KiB)

If you need something specific, let me know how to get it and I’m more than happy to post it.

5/6/2022 -- 23:13:47 - <Notice> - This is Suricata version 6.0.5 RELEASE running in SYSTEM mode
5/6/2022 -- 23:13:47 - <Info> - CPUs/cores online: 2
5/6/2022 -- 23:13:47 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
5/6/2022 -- 23:13:47 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
5/6/2022 -- 23:13:47 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
5/6/2022 -- 23:13:47 - <Info> - Found an MTU of 1500 for 'br-lan'
5/6/2022 -- 23:13:47 - <Info> - Found an MTU of 1500 for 'br-lan'
5/6/2022 -- 23:13:47 - <Info> - Found an MTU of 1500 for 'eth0'
5/6/2022 -- 23:13:47 - <Info> - Found an MTU of 1500 for 'eth0'
5/6/2022 -- 23:13:47 - <Notice> - Using host.memcap = 32mb
5/6/2022 -- 23:13:47 - <Notice> - Setting host_config.memcap to 33554432
5/6/2022 -- 23:13:47 - <Notice> - host_config.memcap is now  33554432
5/6/2022 -- 23:13:47 - <Notice> - Using host.hash-size = 4096
5/6/2022 -- 23:13:47 - <Notice> - Using host.prealloc = 1000
5/6/2022 -- 23:13:47 - <Notice> - Host config from suricata.yaml: memcap: 33554432, hash-size: 4096, prealloc: 1000
5/6/2022 -- 23:13:47 - <Info> - fast output device (regular) initialized: fast.log
5/6/2022 -- 23:13:47 - <Info> - stats output device (regular) initialized: stats.log
5/6/2022 -- 23:13:47 - <Info> - Running in live mode, activating unix socket
5/6/2022 -- 23:13:47 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/suricata.rules
5/6/2022 -- 23:13:56 - <Info> - 2 rule files processed. 26283 rules successfully loaded, 0 rules failed
5/6/2022 -- 23:13:56 - <Info> - Threshold config parsed: 0 rule(s) found
5/6/2022 -- 23:14:00 - <Info> - 26286 signatures processed. 1278 are IP-only rules, 4155 are inspecting packet payload, 20650 inspect application layer, 108 are decoder event only
5/6/2022 -- 23:16:13 - <Info> - Using 2 live device(s).
5/6/2022 -- 23:16:13 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth0': Not supported (122)
5/6/2022 -- 23:16:13 - <Info> - Running in live mode, activating unix socket
5/6/2022 -- 23:16:13 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
5/6/2022 -- 23:16:13 - <Notice> - all 6 packet processing threads, 4 management threads initialized, engine started.
5/6/2022 -- 23:16:13 - <Info> - All AFP capture threads are running.

suricata.yaml (71.5 KB)

After some testing, can confirm I receive that error under --runmode workers. I can’t use single to test because single can’t be used on multiple devices. It seems suricata is using the br-lan interface 4 times for the things like af-packet and pcap streams? --runmode autofp does not generate the error.

The interface section shows eth0 for af-packet but the uci show says br-lan. So can you paste the command line when suricata is running? We just need to ensure how Suricata is actually running with regards to the capture method.