[Snort-devel] Snort 3 netmap cant access gateway on FREEBSD

Masud Hasan (mashasan) mashasan at cisco.com
Wed Oct 31 11:52:49 EDT 2018

Please turn promiscuous mode on and LRO/GRO off for both of the interface-pair (em1 and em2) as root. Before running snort, please make sure you can reach any machine on the LAN where em2 is connected. After running snort with em1:em2 inlined, you should be able to reach that LAN from the LAN where em1 is connected.

You can also enable debug adding "--daq-var debug" to the snort command and adding rc_debug="YES" in the rc.conf file.

If netmap does not work, do other daq mode works? Here is an example for Ubuntu:

Also, are you on latest FreeBSD with updated netmap, since I find some online forums discussing issues with older netmap builds.


On Oct 31, 2018, at 5:58 AM, yunus.can at arjeta.com.tr<mailto:yunus.can at arjeta.com.tr> wrote:


We are reagain install snort netmap mode. because ipfw mode not yet supported multithreading

rc.conf ----> network configuration
ifconfig_em0="DHCP" ---->internet uplink      subnet -> ( dhcp lease
ifconfig_em1="inet netmask"
ifconfig_em2="inet netmask"

I was start command this :

ifconfig em1 promisc up

/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua --daq-dir /usr/local/lib/daq --daq netmap -i em1 -A alert_full -Q

See a Error :

netmap DAQ configured to inline.
Commencing packet processing
++ [0] em1
Can't initialize DAQ netmap (-1) - netmap_daq_initialize: Invalid interface specification: 'em1'!
-- [0] em1
Packet Statistics
Module Statistics
Summary Statistics
                  runtime: 00:00:00
                  seconds: 0.1822
                  packets: 0
                 pkts/sec: 0
o")~   Snort exiting

AND reagain diffrerent start multiple interface command this

ifconfig em1 promisc up

/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua --daq-dir /usr/local/lib/daq --daq netmap -i em1:em2 -A alert_full -Q

I was see this success start message :
port rule counts
             tcp     udp    icmp      ip
     any     472       0       1       0
   total     472       0       1       0
netmap DAQ configured to inline.
Commencing packet processing
++ [0] em1:em2
  nr_tx_slots: 1024
  nr_rx_slots: 1024
  nr_tx_rings: 1
  [TX Ring 0]
    buf_ofs = 7299072
    num_slots = 1024
    nr_buf_size = 2048
    flags = 0x0
  nr_rx_rings: 1
  [RX Ring 0]
    buf_ofs = 7372800
    num_slots = 1024
    nr_buf_size = 2048
    flags = 0x0
  memsize:     343019520
  index:       1

BUT I cant access gateway ip address
64 bytes from icmp_seq=6157 ttl=64 time=0.264 ms
64 bytes from icmp_seq=6158 ttl=64 time=0.233 ms
64 bytes from icmp_seq=6159 ttl=64 time=0.325 ms
64 bytes from icmp_seq=6160 ttl=64 time=0.394 ms
64 bytes from icmp_seq=6161 ttl=64 time=0.354 ms
64 bytes from icmp_seq=6162 ttl=64 time=0.326 ms
64 bytes from icmp_seq=6163 ttl=64 time=0.332 ms
64 bytes from icmp_seq=6164 ttl=64 time=0.221 ms
64 bytes from icmp_seq=6165 ttl=64 time=0.339 ms
64 bytes from icmp_seq=6166 ttl=64 time=0.343 ms
64 bytes from icmp_seq=6167 ttl=64 time=0.398 ms
64 bytes from icmp_seq=6168 ttl=64 time=0.435 ms
64 bytes from icmp_seq=6169 ttl=64 time=0.410 ms
64 bytes from icmp_seq=6170 ttl=64 time=0.410 ms
64 bytes from icmp_seq=6171 ttl=64 time=0.383 ms
64 bytes from icmp_seq=6172 ttl=64 time=0.380 ms
64 bytes from icmp_seq=6173 ttl=64 time=0.313 ms
64 bytes from icmp_seq=6174 ttl=64 time=0.369 ms ---> started snort inline netmap module
Request timeout for icmp_seq 6175
Request timeout for icmp_seq 6176
Request timeout for icmp_seq 6177
Request timeout for icmp_seq 6178
Request timeout for icmp_seq 6179
Request timeout for icmp_seq 6180
Request timeout for icmp_seq 6181

Freebsd Versions :

FreeBSD snort 11.2-RELEASE-p4

Snort Versions :

   ,,_     -*> Snort++ <*-

  o"  )~   Version 3.0.0 (Build 247) FreeBSD

   ''''    By Martin Roesch & The Snort Team


           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using DAQ version 2.2.2

           Using LuaJIT version 2.0.5

           Using OpenSSL 1.0.2p  14 Aug 2018

           Using libpcap version 1.9.0-PRE-GIT

           Using PCRE version 8.41 2017-07-05

           Using ZLIB version 1.2.11

           Using FlatBuffers 1.8.0

           Using Hyperscan version 4.7.0 2018-10-03

           Using LZMA version 5.2.3

I was read this link
https://github.com/snort3/snort3/blob/master/doc/snort_manual.html --->

20.13.8. Netmap Module

        The netmap project is a framework for very high speed packet I/O. It
        is available on both FreeBSD and Linux with varying amounts of
        preparatory setup required. Specific notes for each follow.

        ./snort --daq netmap -i <device>
        [--daq-var debug]

        If you want to run netmap in inline mode, you must craft the device
        string as one or more interface pairs, where each member of a pair is
        separated by a single colon and each pair is separated by a double
        colon like this:


        or this:


        Inline operation performs Layer 2 forwarding with no MAC filtering,
        akin to the AFPacket module’s behavior. All packets received on one
        interface in an inline pair will be forwarded out the other interface
        unless dropped by the reader and vice versa.


        The interfaces will need to be up and in promiscuous mode in order to
        function (ifconfig em1 up promisc). The DAQ module does not currently
        do either of these configuration steps for itself. FreeBSD

        In FreeBSD 10.0, netmap has been integrated into the core OS. In
        order to use it, you must recompile your kernel with the line

        device netmap

        added to your kernel config.

I searched google but I cant find enough subject for netmap with snort

What is my problem ?

Can u help me ?

Snort-devel mailing list
Snort-devel at lists.snort.org<mailto:Snort-devel at lists.snort.org>

Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181031/6d9ae52c/attachment-0001.html>

More information about the Snort-devel mailing list