Unable to send packet: Error with PF_PACKET send
2,016 views
Skip to first unread message
Andrew Jackman
Nov 18, 2017, 6:07:14 AM11/18/17
to security-onion
Hi,
I'm new to SO and have been trying to verify if Snort signatures exist by using tcpreplay and then looking in Squil. If they do not exist, I will write a rule for it.
I am getting a consistent error after downloading pcaps from VirusTotal:
$ sudo tcpreplay -ieth0 -M10 ~/Downloads/5a133f744e772a3f0f9c4edad20cc8d9edbef12e1f3f7ef69c44b262bd6fa637
sending out eth0
processing file: /home/andrew/Downloads/5a133f744e772a3f0f9c4edad20cc8d9edbef12e1f3f7ef69c44b262bd6fa637
Warning in send_packets.c:send_packets() line 178:
Unable to send packet: Error with PF_PACKET send() [1]: Invalid argument (errno = 22)
Actual: 137 packets (24321 bytes) sent in 0.02 seconds. Rated: 1216050.0 bps, 9.28 Mbps, 6850.00 pps
Statistics for network device: eth0
Attempted packets: 137
Successful packets: 136
Failed packets: 1
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
This causes my checks to see if there is an existing Snort rule to fail. I'm running SO in VirtualBox 5.1.28 if that makes any difference.
Any help is greatly appreciated, whether it is a way to fix this issue or a better way to verify if a Snort signature exists.
I'm new to SO and have been trying to verify if Snort signatures exist by using tcpreplay and then looking in Squil. If they do not exist, I will write a rule for it.
I am getting a consistent error after downloading pcaps from VirusTotal:
$ sudo tcpreplay -ieth0 -M10 ~/Downloads/5a133f744e772a3f0f9c4edad20cc8d9edbef12e1f3f7ef69c44b262bd6fa637
sending out eth0
processing file: /home/andrew/Downloads/5a133f744e772a3f0f9c4edad20cc8d9edbef12e1f3f7ef69c44b262bd6fa637
Warning in send_packets.c:send_packets() line 178:
Unable to send packet: Error with PF_PACKET send() [1]: Invalid argument (errno = 22)
Actual: 137 packets (24321 bytes) sent in 0.02 seconds. Rated: 1216050.0 bps, 9.28 Mbps, 6850.00 pps
Statistics for network device: eth0
Attempted packets: 137
Successful packets: 136
Failed packets: 1
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
This causes my checks to see if there is an existing Snort rule to fail. I'm running SO in VirtualBox 5.1.28 if that makes any difference.
Any help is greatly appreciated, whether it is a way to fix this issue or a better way to verify if a Snort signature exists.
Wes Lambert
Nov 20, 2017, 8:51:09 AM11/20/17
to securit...@googlegroups.com
Andrew,
Do you receive "Failed packets" when replaying the pcaps in /op/samples/?
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Andrew Jackman
Nov 25, 2017, 9:00:55 PM11/25/17
to security-onion
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
Thanks for the reply. When I run "sudo tcpreplay -ieth0 -M10 /opt/samples/example.com-1.pcap" I get this;
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
sending out eth0
processing file: /opt/samples/example.com-1.pcap
Doug Burks
Dec 2, 2017, 6:35:08 AM12/2/17
to securit...@googlegroups.com
On Sat, Nov 25, 2017 at 9:00 PM, Andrew Jackman
Hi Andrew,
That is normal for /opt/samples/example.com-1.pcap. You should still
get NIDS alerts from Snort/Suricata and Bro logs.
--
Doug Burks
That is normal for /opt/samples/example.com-1.pcap. You should still
get NIDS alerts from Snort/Suricata and Bro logs.
--
Doug Burks
Andrew Jackman
Dec 2, 2017, 7:16:29 PM12/2/17
to securit...@googlegroups.com
Thanks for the reply, Doug. I didn't know that. It's definitely showing up in Sguil for me when I do that.
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/Ccwj4jlnlbY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Andrew Jackman
Dec 5, 2017, 8:38:52 PM12/5/17
to securit...@googlegroups.com
Hey Doug, just a quick question. Is this something I can always ignore? The sample pcap gives the same sort of error as pcaps I download from VirusTotal.
Thanks again for your time.andrew@neuromancer:~$ sudo tcpreplay -ieth0 -M10 ~/Downloads/40ece136d2b989055a316ee54517f71e5559eae8669ceb0fd5e2a570853736e5
sending out eth0
processing file: /home/andrew/Downloads/40ece136d2b989055a316ee54517f71e5559eae8669ceb0fd5e2a570853736e5
Warning in send_packets.c:send_packets() line 178:
Unable to send packet: Error with PF_PACKET send() [1]: Invalid argument (errno = 22)
Actual: 96 packets (16564 bytes) sent in 0.01 seconds. Rated: 1656400.0 bps, 12.64 Mbps, 9600.00 pps
Statistics for network device: eth0
Attempted packets: 96
Successful packets: 95
Successful packets: 95
Failed packets: 1
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
andrew@neuromancer:~$ sudo tcpreplay -ieth0 -M10 /opt/samples/example.com-1.pcapsending out eth0
processing file: /opt/samples/example.com-1.pcap
Warning in send_packets.c:send_packets() line 178:
Unable to send packet:
Warning in send_packets.c:send_packets() line 178:
Unable to send packet:
Doug Burks
Dec 7, 2017, 6:23:01 AM12/7/17
to securit...@googlegroups.com
Hi Andrew,
Based on your output below, it looks like there was 1 packet that was
not successful. That packet may be corrupted or it may be larger than
your interface MTU. You may get more information by running capinfos
on the file.
--
Doug Burks
Based on your output below, it looks like there was 1 packet that was
not successful. That packet may be corrupted or it may be larger than
your interface MTU. You may get more information by running capinfos
on the file.
Doug Burks
Andrew Jackman
Dec 19, 2017, 8:33:52 PM12/19/17
to securit...@googlegroups.com
Hey Doug,
I solved my tcpreplay issues by switching to Vmware Workstation. It seems to have been an issue with VirtualBox. After doing a clean install in VirtualBox I could run the tcpreplay command but it would kill the vm's network connection. Just wanted to give you the heads up for future reference. Thanks for the help!Reply all
Reply to author
Forward
0 new messages