Suricata randomly stops scanning interface

nug · Jul 15, 2015, 4:35 AM

Suricata seems to run fine scanning my WAN connection. Randomly I get the following line in the suricata.log file:

15/7/2015 -- 10:32:02 - <error>-- [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 The interface went down</error>

I have to turn off Suricata and start it again (hitting restart doesn't always seem to work).

Is this a common issue?

bmeeks · Jul 15, 2015, 10:34 PM

That is the first time that error has been reported. From the text it appears something is happening to the libpcap process Suricata uses to capture packets. What brand of physical NIC is in the box?

Bill

nug · Jul 16, 2015, 1:37 AM

I'm using an onboard NIC and USB NIC:

LAN/re0 = <realtek 8111="" 8168="" b="" c="" cp="" d="" dp="" e="" f="" g="" pcie="" gigabit="" ethernet="">port 0xe800-0xe8ff mem 0xf8fff000-0xf8ffffff,0xf8ff8000-0xf8ffbfff irq 17 at device 0.0 on pci4
WAN/pppoe0 = gen5.2: <product 0x7720="" vendor="" 0x0b95="">at usbus5, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (250mA)</product></realtek>

I'm not 100% about the USB NIC listing as my freeBSD CLI knowledge is lacking. Is there another command other than usbconfig I run to get the details? I know it's a Belkin USB device.

After writing this I'm starting to wonder if I switch my cables around and use the onboard as my WAN interface…

bmeeks · Jul 17, 2015, 5:56 PM

Swapping cables would be one thing to try. It is possible that the libpcap library and the USB NIC don't play well together.

Bill