Suricata on IPSec VTI interface

tomas.kacha · January 26, 2023, 4:13pm

if I start suricata via systemd, the following entries are written to suricata.log:

“ - [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - datalink type 768 not yet supported”

if I run suricata via cli, suricata works normally

suricata.yaml
…
af-packet:

Could someone please advise?

Suricata v6.0.1
The main OS is Debian 11.6

jmtaylor90 · January 27, 2023, 3:19pm

Can you share the unit file configuration used when starting via systemd and also the command line used to start suricata from the cli?

JT

tomas.kacha · June 12, 2023, 10:11am

Thank you for your reply,
the problem was with af_packet mode, after changing to nfqueue everything works fine.

Tomas

Topic		Replies	Views
Suricata does not start in IPS mode Help ips , suricata	1	38	April 17, 2024
Ubuntu 20.04 : how to start suricata with systemctl in NFQ mode Help	1	547	March 7, 2021
Could not start suricata service in IPS Mode Help ips , suricata	2	602	June 8, 2023
Getting error after setting Suricata as a IPS Help	2	710	February 14, 2022
Suricata iptables and nft errors when all is setting up correctly Help	3	172	December 12, 2023