Suricata causing kernel error "netmap_grab_packets bad pkt at"
-
Thanks for the reply and explanation, I understand a little better about how the package is implemented now. I'm also somewhat glad to hear that this isn't something I did incorrectly.
-
I don't mean to sound condescending with this reply, but it has been posted here over and over and over, since the inline IPS mode was introduced, that only certain network drivers work with netmap, and that netmap support is required of your hardware in order for inline IPS mode to function. The very error message you are seeing tells you what is wrong – your hardware (and thus the NIC driver your system is using) is not supported with netmap. When you see any error message with netmap in it, that pretty much screams your particular NIC does not support it.
That error is a network driver issue and has nothing at all to do with Suricata. Netmap is a special technology recently added to FreeBSD and even more recently as an option in pfSense. However, it has been clearly stated it only works with a handful of network drivers. You can search Google and the FreeBSD site to find network drivers for FreeBSD that support netmap. They go buy you enough of those cards to use on all the network interfaces in your firewalls and Suricata will then work using inline IPS mode.
Bill
Bill - Just out of curiosity, could NICs that don't support netmap native be forced to use emulation as suggested in the FreeBSD documentation?
Some aspect of the operation of netmap are controlled through sysctl
variables on FreeBSD (dev.netmap.) and module parameters on Linux
(/sys/module/netmap_lin/parameters/):dev.netmap.admode: 0
Controls the use of native or emulated adapter mode. 0 uses the
best available option, 1 forces native and fails if not avail-
able, 2 forces emulated hence never fails. -
I think we need a sticky here, pointing people having issues with netmap to FreeBSD upstream and not the poor pfSense Suricata package maintainer. Other serious issues with netmap include:
Broken VLANs - https://redmine.pfsense.org/issues/6690
Broken Traffic Shaper - https://redmine.pfsense.org/issues/6023There's nothing that bmeeks could do here, stop bugging him! :P
Hello @doktornotor ,
I don't know what is the policy of pfSense, and also I don't know if you are the proper person to ask, but being just a question I hope you will not get angry.
Do you think recompiling the Kernel in order to add some Intel drivers will solve the netmap issue (will this make some Intel NICs to be supported to work in Inline mode) ? Or maybe in the form of a kernel module, to be loaded if needed?
This will deviate from FreeBsd policy or pfSense policy?
-
I don't mean to sound condescending with this reply, but it has been posted here over and over and over, since the inline IPS mode was introduced, that only certain network drivers work with netmap, and that netmap support is required of your hardware in order for inline IPS mode to function. The very error message you are seeing tells you what is wrong – your hardware (and thus the NIC driver your system is using) is not supported with netmap. When you see any error message with netmap in it, that pretty much screams your particular NIC does not support it.
That error is a network driver issue and has nothing at all to do with Suricata. Netmap is a special technology recently added to FreeBSD and even more recently as an option in pfSense. However, it has been clearly stated it only works with a handful of network drivers. You can search Google and the FreeBSD site to find network drivers for FreeBSD that support netmap. They go buy you enough of those cards to use on all the network interfaces in your firewalls and Suricata will then work using inline IPS mode.
Bill
Bill - Just out of curiosity, could NICs that don't support netmap native be forced to use emulation as suggested in the FreeBSD documentation?
Some aspect of the operation of netmap are controlled through sysctl
variables on FreeBSD (dev.netmap.) and module parameters on Linux
(/sys/module/netmap_lin/parameters/):dev.netmap.admode: 0
Controls the use of native or emulated adapter mode. 0 uses the
best available option, 1 forces native and fails if not avail-
able, 2 forces emulated hence never fails.I don't know. I am not familiar with the FreeBSD kernel internals nor any of the tunable parameters.
Bill
-
I don't know. I am not familiar with the FreeBSD kernel internals nor any of the tunable parameters.
Bill
Ok thank you sir, appreciate the response and assistance.
-
I don't mean to sound condescending with this reply, but it has been posted here over and over and over, since the inline IPS mode was introduced, that only certain network drivers work with netmap, and that netmap support is required of your hardware in order for inline IPS mode to function. The very error message you are seeing tells you what is wrong – your hardware (and thus the NIC driver your system is using) is not supported with netmap. When you see any error message with netmap in it, that pretty much screams your particular NIC does not support it.
That error is a network driver issue and has nothing at all to do with Suricata. Netmap is a special technology recently added to FreeBSD and even more recently as an option in pfSense. However, it has been clearly stated it only works with a handful of network drivers. You can search Google and the FreeBSD site to find network drivers for FreeBSD that support netmap. They go buy you enough of those cards to use on all the network interfaces in your firewalls and Suricata will then work using inline IPS mode.
Bill
Bill - Just out of curiosity, could NICs that don't support netmap native be forced to use emulation as suggested in the FreeBSD documentation?
Some aspect of the operation of netmap are controlled through sysctl
variables on FreeBSD (dev.netmap.) and module parameters on Linux
(/sys/module/netmap_lin/parameters/):dev.netmap.admode: 0
Controls the use of native or emulated adapter mode. 0 uses the
best available option, 1 forces native and fails if not avail-
able, 2 forces emulated hence never fails.I don't know. I am not familiar with the FreeBSD kernel internals nor any of the tunable parameters.
Bill
Hello @bmeeks
As stated by @doktornotor you're not the appropiate person to ask this, but I don't know whom to ask.
I found this on Free-Bsd, I will put some quotes, and the link:
"The drivers for common NICs are already present in the GENERIC kernel"…"If the driver for the NIC is not present in GENERIC, but a driver is available, the driver will need to be loaded before the NIC can be configured and used."...
"This may be accomplished in one of two ways:
* The easiest way is to load a kernel module for the NIC using kldload(8). To also automatically load the driver at boot time, add the appropriate line to /boot/loader.conf. Not all NIC drivers are available as modules.
* Alternatively, statically compile support for the NIC into a custom kernel. "
The link is here (section 11.5.1 ):
https://www.freebsd.org/doc/en/books/handbook/config-network-setup.html
Can you direct me to the proper person to ask, if this will solve the netmap issues?
Thanks
-
Just looking for some assistance on this issue. Only seeing this issue when running inline mode, doesn't happen if I switch it to legacy. All offloading options are disabled under the advanced tab. Easy to replicate, have the same issues on 3 different systems.
Jan 21 20:33:58 kernel 438.215029 [1162] netmap_grab_packets bad pkt at 536 len 2331
Jan 21 20:33:58 kernel 438.168943 [1162] netmap_grab_packets bad pkt at 526 len 2331
Jan 21 20:32:40 kernel 360.586684 [1162] netmap_grab_packets bad pkt at 895 len 2163
Jan 21 20:32:40 kernel 360.310778 [1162] netmap_grab_packets bad pkt at 877 len 2164
Jan 21 20:32:40 kernel 360.219529 [1162] netmap_grab_packets bad pkt at 855 len 2164
Jan 21 20:32:40 kernel 360.198430 [1162] netmap_grab_packets bad pkt at 850 len 2164
Jan 21 20:32:40 kernel 360.197684 [1162] netmap_grab_packets bad pkt at 846 len 2164I don't mean to sound condescending with this reply, but it has been posted here over and over and over, since the inline IPS mode was introduced, that only certain network drivers work with netmap, and that netmap support is required of your hardware in order for inline IPS mode to function. The very error message you are seeing tells you what is wrong – your hardware (and thus the NIC driver your system is using) is not supported with netmap. When you see any error message with netmap in it, that pretty much screams your particular NIC does not support it.
That error is a network driver issue and has nothing at all to do with Suricata. Netmap is a special technology recently added to FreeBSD and even more recently as an option in pfSense. However, it has been clearly stated it only works with a handful of network drivers. You can search Google and the FreeBSD site to find network drivers for FreeBSD that support netmap. They go buy you enough of those cards to use on all the network interfaces in your firewalls and Suricata will then work using inline IPS mode.
Bill
FYI - Suricata seems to generate lots of these errors for me on supported hardware/drivers. I'm using Intel 82575/82576:
SUPPORTED DEVICES
netmap natively supports the following devices:On FreeBSD: em(4), igb(4), ixgbe(4), lem(4), re(4).
ref: https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4
-
FYI - Suricata seems to generate lots of these errors for me on supported hardware/drivers. I'm using Intel 82575/82576:
https://bugs.freebsd.org/bugzilla/ - and no, it's not Suricata issue. Will not get fixed here.
-
FYI - Suricata seems to generate lots of these errors for me on supported hardware/drivers. I'm using Intel 82575/82576:
https://bugs.freebsd.org/bugzilla/ - and no, it's not Suricata issue. Will not get fixed here.
The statement that @RadOD made was a reply to @bmeeks, (I think : ) ) that told us that, when we see that kind of error, it means netmap doesn't support our NICs. The issue happens to me also with Suricata 3.1.2, and it didn't happen with previous version.
So you say that it's a bug, and @bmeeks says that it happens with cards that are not supported.
This is my understanding, and it's confusing, meaning that 2 veteran users stating different things (No pointing fingers here, just want to be inline)
Sorry, if it's just me.
-
Got these errors sometimes multiple times in a minute on two pfSense SG-8860 firewalls (igb interfaces) with Suricata in inline mode. They are now being reverted to legacy mode due to multiple problems.
-
I also am using supported hardware and get quite a few of these bad pkt errors as well. I think I am going back to legacy mode for now. It is better than it was a year ago when inline really bugged things up. I will go back to it in the future. Real shame since legacy doesn't stop everything you want.
