Project

General

Profile

Bug #8209

Suricat Inline netmap bad packet errors

Added by Stan Masterson almost 2 years ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
12/14/2017
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

Using PFsense 2.4.2 and Suricata 4.0.1_1 I using Inline mode, I see errors like this appearing in the system log rather frequently.
Dec 14 10:35:00 kernel 900.798878 [1071] netmap_grab_packets bad pkt at 1336 len 2333
Dec 14 10:35:00 kernel 900.821493 [1071] netmap_grab_packets bad pkt at 1339 len 2333
Dec 14 09:35:00 kernel 300.616829 [1071] netmap_grab_packets bad pkt at 817 len 2333
Dec 14 09:35:00 kernel 300.593938 [1071] netmap_grab_packets bad pkt at 813 len 2333
Dec 14 09:04:00 kernel 439.898908 [1071] netmap_grab_packets bad pkt at 1505 len 3117
Dec 14 08:35:00 kernel 700.813980 [1071] netmap_grab_packets bad pkt at 1623 len 2333
Dec 14 08:35:00 kernel 700.662881 [1071] netmap_grab_packets bad pkt at 1616 len 2333
Dec 14 08:35:00 kernel 700.598831 [1071] netmap_grab_packets bad pkt at 1610 len 2333
Dec 14 08:35:00 kernel 700.576523 [1071] netmap_grab_packets bad pkt at 1607 len 2333

Nothing unusual appears in any other log with these timestamp
The only thing that jumped out at me was most of the errors happen every hour, and there are no Cron jobs on that same schedule.

A note to point out is this happens only on a high traffic volume WAN interface and not on another identical system which has a much lower traffic volume. There is not enough info in the log to track down whether this is actual bad packets that arrive on the interface or good packets are being dropped.

The hardware is using Intel i5-3570 @ 3.4Ghz, 16GB memory, 6 active interface ports, and Intel (3)i350T2V2 NIC's using the igb driver. Also have tried Intel i210-T1 NIC as the WAN interface with same results.

Have tried changing some igb and netmap tunables which never made any difference.

If there are any tests I can run to provide more information, please let me know.

Thank you.

History

#1 Updated by Jim Pingle about 1 month ago

  • Project changed from pfSense to pfSense Packages
  • Category set to Suricata
  • Status changed from New to Closed

This report is rather old and several pfSense and Suricata versions ago. If it's still a problem, gather more detail and create a new issue.

Also available in: Atom PDF