Unable to find type for iface "eth0"

Help
1

Hi,

I’m trying to start a fresh suricata 4.1.8 installation on rhel 7.

I’ve read the steps in the documentation so I’ve configured HOME_NET with the right address and set the interface in the af-packet section to the nic I want to listen to.

When I run suricata by “systemctl start suricata”, I constantly get the fatal errors below, It can’t find eth0. I don’t have a eth0 in my machine and I haven’t configured this in my suricata.yaml.

When I run sudo suricata -c /etc/suricata/suricata.yaml -i ens192:3 it starts without the errors below.

Why does it search for eth0 when I start with suricata.yaml file?

I hope someone can help me out, I’m testing for 2 days now, it would be nice to move a little forward :slight_smile:

26/8/2020 -- 09:19:30 - <Notice> - This is Suricata version 4.1.8 RELEASE
26/8/2020 -- 09:19:30 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'eth0': No such device (19)
26/8/2020 -- 09:19:30 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'eth0': No such device (19)
26/8/2020 -- 09:19:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find type for iface "eth0": No such device
26/8/2020 -- 09:19:30 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
26/8/2020 -- 09:19:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
26/8/2020 -- 09:19:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
26/8/2020 -- 09:19:30 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed

Thanks in advance for your time and effort, it’s greatly appreciated!

2

Hi
grep eth0 /etc/suricata/suricata.yaml returns no results?

3

Thanks for the quick reply @syoc The grep does has some results, but only for pcap and pfring, not for af-packet. If I enter my nic for pcap and pfring, the results stay the same. Also on another machine.

sudo grep -B 1 eth0 /etc/suricata/suricata.yaml 

pcap:
  - interface: eth0
--
#
netmap:
   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
--
   # To specify the OS as the copy-iface (so the OS can route packets, or forward
   # to a service running on the same machine) add a plus sign at the end
   # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
   # for return packets. Hardware checksumming must be *off* on the interface if
   # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
   # or 'ethtool -K eth0 tx off rx off' for Linux).
--
# for more info see http://www.ntop.org/products/pf_ring/
pfring:
  - interface: eth0
4

Are you using the RPM? Set the interface in /etc/sysconfig/suricata.

4 Likes
5

Engine started! Thank you very much @jasonish_user

6

Thanks, i had the same problem and i had to edit the config file under sysconfig. Wonder why this wasn’t mentioned in the installation/quickstart. Much appreciated anyway

7

Thank you very much, I was stuck at this step until I followed your instructions and it worked! ::

8

thank you~helps a lot~~~

9

thank u
very good