Potential Suricata Inline Netmap Solution

  • (681.325066 [1071] netmap_grab_packets      bad pkt at 975 len 2163) What I understand from that line is a packet of 2163 bytes was dropped because the default is dev.netmap.buf_size:2048 bytes. So, I increased the size, which made it work smoothly; however, if I reboot the Pfsense machine, I noticed that dev.netmap.buf_size:2048 returns.

    So, how to make that increase permanent? I was even thinking of 6144 bytes buffer size since I have 8GB RAM.
    ![Screen Shot 2018-04-12 at 9.00.07 PM.png](/public/imported_attachments/1/Screen Shot 2018-04-12 at 9.00.07 PM.png)
    ![Screen Shot 2018-04-12 at 9.00.07 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-04-12 at 9.00.07 PM.png_thumb)

  • Will it work to add it on the System/Advanced/System Tunables page?

    If not, a while back I had to edit something from Diagnostics/Edit File to fix a boot issue in a VM (long story and not relevant anymore).

  • Well, it seems that one can use the sysctl.conf to make it permanently per here: https://www.freebsd.org/doc/handbook/configtuning-sysctl.html

    However, I was cautioned by one of the persons responsible for Netmap that large packet is a weird behavior and that I should contact Suricata folks. I did share with what was said here: https://forum.pfsense.org/index.php?topic=124331.0
    So, I’ll stick with the buffer size 4096 bytes in the meanwhile.

  • Just updating the thread that the buffer size of 4096bytes is working flawlessly so far. Hopefully, this week I’ll find some time to stream a movie while simultaneously surf Flickr to further testing.

  • Well, yesterday I got one for the first time in two weeks running dev.netmap.buf_size:4096 and while loading a dot io web page.

    Apr 23 12:47:31 kernel 651.457157 [1071] netmap_grab_packets bad pkt at 779 len 3770

    So, I sent the info to the person on the developer team that I have been communicating with to get feedback.

  • Okay, to follow up, I haven’t got any kernel alert in awhile; however, what I understand is, it actually seems to be a Suricata issue as this happens in the context of a system call issued by the suricata process (pid 1071).

  • Hello NollipfSense,

    Just wondering what kind of system/specs are you running suricata inline on and also did you change any setting inside the interface setting of suricata like the Detection engine settings for max pending packets ?

    Ive been getting the same error

    netmap_grab_packets bad pkt



© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy