[SOLVED] Suricata: devname netmap:igb0/R failed: Device busy

[hakuna]

I have been using Zenamor and even paying for the home subscription but based on Pi-Holes log, the last thing I need is a service sending the smell of my fart to the cloud. Cancelled!!

So I am trying to test Suricata instead of Zenamor, but its logs keeps showing this "opening devname netmap:igb0/R failed: Device busy".

I did some digging but I don't fully understand it to make changes and break what is working.
Some possibilities include driver incompatible because of the igb0 driver.

The NIC is a Dell Intel I350-T4 Quad Port PCIe on a Dell SFF PC.

What could be possibly the reason and/or the fix??

The now OPNSense backup box, a miniPC with 2x onboard RTK NIC never displayed this message even tho RTK NIC are rated as bad NIC, I never really experienced issues with it.

If that matters, this is a small home network, that miniPC had crashed because Suricata's log was 150GB leaving no disk space so I have a mixed feeling touching it.

Thank you

[Seimus]

First of all, your very first sentence doesn't give any sense and you are not helping anyone with it.

Second, the error you get is mostly due to the fact that the interface is maybe locked by another tool using netmap on it, such as ZA.

If you want to use Suricata with ZA together they do not stack on top of each other. ZA was developed to protect the LAN. The Co-deployment should be done Suricata on WAN and ZA on LAN.

ZA should not be run on WAN.

If you want to use Suricata on interfaces where is ZA used, you need to disable ZA on them first.

Regards,
S.

[hakuna]

If you want to use Suricata on interfaces where is ZA used, you need to disable ZA on them first.

Thank you for the help.
I guessed as such and with ZA removed, Suricata still showing the same error message.
Unless NTOPNG could also give that error, I am not sure.

I will review it again.
Please, let me know if any other process like NTOPNG could cause that.
I have crossed some posts that mentioned the NIC driver being the culprint, I never notices that message on the bakup box running RTK NIC for example.

Thanks again.

[hakuna]

If you want to use Suricata with ZA together they do not stack on top of each other. ZA was developed to protect the LAN. The Co-deployment should be done Suricata on WAN and ZA on LAN.

I believe this is the part I got wrong, I had Suricata on LAN to see what my devices are doing instead of using ZA, ZA is already out so it isn't it causing that.

Suricata on WAN seems to work but I don't run any business or anything so I don't know if that will add any value.
Either way, this appears to be an user error rather than tool.

Thank you so much for the help.

[Seimus]

Not sure about the NTOPNG as I do not use it, but give it a try.

Also do you have any HW offloading (CRC, TSO & LRO) enabled?
After you removed ZA, did you reboot the device?

As I mentioned this error you see is usually due to the fact that Suricata fights with some other system for the NMAP on that specific interface.

Regards,
S.

[hakuna]

Not sure about the NTOPNG as I do not use it, but give it a try.

Also do you have any HW offloading (CRC, TSO & LRO) enabled?
After you removed ZA, did you reboot the device?

As I mentioned this error you see is usually due to the fact that Suricata fights with some other system for the NMAP on that specific interface.

Regards,
S.

HW offloading are disabled.
To be honest with you, I have been dealing with this drama for awhile, I just disabled Suricata and removed ZA.
I will try to mark this post as solved.

Thank you so much for the help.