Potential Suricata Inline Netmap Solution

NollipfSense

(681.325066 [1071] netmap_grab_packets bad pkt at 975 len 2163) What I understand from that line is a packet of 2163 bytes was dropped because the default is dev.netmap.buf_size:2048 bytes. So, I increased the size, which made it work smoothly; however, if I reboot the Pfsense machine, I noticed that dev.netmap.buf_size:2048 returns.

So, how to make that increase permanent? I was even thinking of 6144 bytes buffer size since I have 8GB RAM.
![Screen Shot 2018-04-12 at 9.00.07 PM.png](/public/imported_attachments/1/Screen Shot 2018-04-12 at 9.00.07 PM.png)
![Screen Shot 2018-04-12 at 9.00.07 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-04-12 at 9.00.07 PM.png_thumb)

SteveITS

Will it work to add it on the System/Advanced/System Tunables page?

If not, a while back I had to edit something from Diagnostics/Edit File to fix a boot issue in a VM (long story and not relevant anymore).

NollipfSense

Well, it seems that one can use the sysctl.conf to make it permanently per here: https://www.freebsd.org/doc/handbook/configtuning-sysctl.html

However, I was cautioned by one of the persons responsible for Netmap that large packet is a weird behavior and that I should contact Suricata folks. I did share with what was said here: https://forum.pfsense.org/index.php?topic=124331.0
So, I'll stick with the buffer size 4096 bytes in the meanwhile.

NollipfSense

Just updating the thread that the buffer size of 4096bytes is working flawlessly so far. Hopefully, this week I'll find some time to stream a movie while simultaneously surf Flickr to further testing.

NollipfSense

Well, yesterday I got one for the first time in two weeks running dev.netmap.buf_size:4096 and while loading a dot io web page.

Apr 23 12:47:31 kernel 651.457157 [1071] netmap_grab_packets bad pkt at 779 len 3770

So, I sent the info to the person on the developer team that I have been communicating with to get feedback.

NollipfSense

Okay, to follow up, I haven't got any kernel alert in awhile; however, what I understand is, it actually seems to be a Suricata issue as this happens in the context of a system call issued by the suricata process (pid 1071).

derpy456789

Hello NollipfSense,

Just wondering what kind of system/specs are you running suricata inline on and also did you change any setting inside the interface setting of suricata like the Detection engine settings for max pending packets ?

Ive been getting the same error

netmap_grab_packets bad pkt

Thanks

NollipfSense

@derpy456789 said in Potential Suricata Inline Netmap Solution:

Hello NollipfSense,

Just wondering what kind of system/specs are you running suricata inline on and also did you change any setting inside the interface setting of suricata like the Detection engine settings for max pending packets ?

Ive been getting the same error

netmap_grab_packets bad pkt

Thanks

Sorry for the late reply...I am running an HP Pavillion a6242n with Intel 82575 NIC 8GB RAM.