Error creating sniffer on OS X - permission denied

Prerna_Manaktala · October 20, 2015, 10:04pm

I am trying to run packetbeat on mac with packetbeat.yml configured to have mac settings and http port changes from default:

# Select the network interfaces to sniff the data. You can use the "any"
# keyword to sniff on all connected interfaces.
interfaces:
device: en0
http:

    # Configure the ports where to listen for HTTP traffic. You can disable
    # the http protocol by commenting the list of ports.
    ports: [8091,8093]

 ./packetbeat.test -systemTest -c /tmp/packetbeat-1.0.0-beta3-darwin/packetbeat.yml -test.coverprofile coverage.cov
packetbeat.go:208: CRIT Initializing sniffer failed: Error creating sniffer: en0: You don't have permission to capture on that device ((cannot open BPF device) /dev/bpf0: Permission denied)

Has anyone seen this problem before?
Elasticsearch is running.

andrewkroh · October 20, 2015, 11:06pm

You don't have permission to access the device so you must run it with sudo:

sudo ./packetbeat.test ...

Reference: Packetbeat - Getting started

Prerna_Manaktala · October 20, 2015, 11:16pm

$ $ sudo ./packetbeat.test -systemTest -c packetbeat.yml -test.coverprofile coverage.cov
packetbeat.go:208: CRIT Initializing sniffer failed: Error creating decoder: Unsuported link type: UnknownLinkType(12)
prernamanaktala@couchbases-MacBook-Pro packetbeat (master) $ ./packetbeat.test -systemTest -c packetbeat.yml -test.coverprofile coverage.cov
packetbeat.go:208: CRIT Initializing sniffer failed: Error creating sniffer: ioctl(SIOCIFCREATE): Operation not permitted

Running with sudo gives another error.

andrewkroh · October 21, 2015, 12:22am

Can you please attach your config file and provide the output of the command with debug enabled?

sudo ./packetbeat.test -systemTest -c packetbeat.yml -test.coverprofile coverage.cov -d '*'

Prerna_Manaktala · October 21, 2015, 12:32am

With debug enabled:

prernamanaktala@couchbases-MacBook-Pro query (master) $ sudo ../../elastic/packetbeat/packetbeat.test -systemTest -c /tmp/packetbeat-1.0.0-beta3-darwin/packetbeat.yml -test.coverprofile coverage.cov -d '*'
beat.go:94: DBG Initializing output plugins
geolite.go:52: WARN Couldn't load GeoIP database
output.go:106: INFO [ElasticsearchOutput] Using Elasticsearch [http://localhost:9200]
output.go:107: INFO [ElasticsearchOutput] Using index pattern [packetbeat-]YYYY.MM.DD
output.go:108: INFO [ElasticsearchOutput] Topology expires after 15s
api.go:225: DBG Use connection http://localhost:9200
api.go:232: DBG PUT http://localhost:9200/.packetbeat-topology %!s()
api.go:225: DBG Use connection http://localhost:9200
api.go:232: DBG PUT http://localhost:9200/.packetbeat-topology/server-ip/_mapping map[server-ip:map[_ttl:map[enabled:true default:15s]]]
publish.go:185: DBG create output worker: 0x0, 0x0
publish.go:208: INFO Using elasticsearch to store the topology
publish.go:234: INFO No shipper name configured, using hostname 'couchbases-MacBook-Pro.local'
publish.go:252: INFO Topology map refreshed every 10s
publish.go:144: DBG Add topology entry for couchbases-MacBook-Pro.local: [fe80::1 fe80::7a31:c1ff:fecc:760c 192.168.1.6 fe80::706e:3eff:feba:ca73 192.168.2.174]
output.go:175: DBG Publish IPs [fe80::1 fe80::7a31:c1ff:fecc:760c 192.168.1.6 fe80::706e:3eff:feba:ca73 192.168.2.174] with expiration time 15000
api.go:225: DBG Use connection http://localhost:9200
api.go:232: DBG PUT http://localhost:9200/.packetbeat-topology/server-ip/couchbases-MacBook-Pro.local?refresh=true&ttl=15000ms {couchbases-MacBook-Pro.local fe80::1,fe80::7a31:c1ff:fecc:760c,192.168.1.6,fe80::706e:3eff:feba:ca73,192.168.2.174}
api.go:225: DBG Use connection http://localhost:9200
api.go:232: DBG GET http://localhost:9200/.packetbeat-topology/server-ip/_search %!s()
output.go:230: DBG Topology map map[192.168.1.6:couchbases-MacBook-Pro.local fe80::706e:3eff:feba:ca73:couchbases-MacBook-Pro.local 192.168.2.174:couchbases-MacBook-Pro.local fe80::1:couchbases-MacBook-Pro.local fe80::7a31:c1ff:fecc:760c:couchbases-MacBook-Pro.local]
async.go:95: DBG create bulk processing worker (interval=1s, bulk size=10000)
beat.go:103: DBG Init packetbeat
packetbeat.go:171: DBG Initializing protocol plugins
mongodb.go:90: DBG Init a MongoDB protocol parser
memcache.go:104: DBG init memcache plugin
memcache.go:170: DBG maxValues = 0
memcache.go:171: DBG maxBytesPerValue = 2147483647
tcp.go:254: DBG Port map: map[8091:http 8093:http 11211:memcache 3306:mysql 5432:pgsql 6379:redis 9090:thrift 27017:mongodb]
udp.go:115: DBG Port map: map[53:dns 11211:memcache]
packetbeat.go:204: DBG Initializing sniffer
sniffer.go:306: DBG BPF filter: tcp port 8091 or tcp port 8093 or tcp port 3306 or tcp port 6379 or tcp port 5432 or tcp port 9090 or tcp port 27017 or udp port 53 or port 11211
sniffer.go:151: DBG Sniffer type: pcap device: en0
decoder.go:38: DBG Layer type: Ethernet
logp.go:110: INFO Startup successful, disable stdout logging

Prerna_Manaktala · October 21, 2015, 12:32am

The config file is same as the original config file except ports and interface:

############################# Shipper ############################################
shipper:

 # The name of the shipper that publishes the network data. It can be used to group
 # all the transactions sent by a single shipper in the web interface.
 # If this options is not defined, the hostname is used.
 name:

 # The tags of the shipper are included in their own field with each
 # transaction published. Tags make it easy to group transactions by different
 # logical properties.
 #tags: ["service1"]

 # Uncomment the following if you want to ignore transactions created
 # by the server on which the shipper is installed. This option is useful
 # to remove duplicates if shippers are installed on multiple servers.
 # ignore_outgoing: true

############################# Sniffer ############################################

# Select the network interfaces to sniff the data. You can use the "any"
# keyword to sniff on all connected interfaces.
interfaces:
 device: en0


############################# Protocols ######################################
protocols:
  dns:
    # Configure the ports where to listen for DNS traffic. You can disable
    # the DNS protocol by commenting out the list of ports.
    ports: [53]

    # include_authorities controls whether or not the dns.authorities field
    # (authority resource records) is added to messages. The default is false.
    include_authorities: true
    # include_additionals controls whether or not the dns.additionals field
    # (additional resource records) is added to messages. The default is false.
    include_additionals: true

    # send_request and send_response control whether or not the stringified DNS
    # request and response message are added to the result. The default is false.
    # Nearly all data about the request/response is available in the dns.*
    # fields, but this can be useful if you need visibility specifically
    # into the request or the response.
    #send_request:  true
    #send_response: true

  http:

    # Configure the ports where to listen for HTTP traffic. You can disable
    # the http protocol by commenting the list of ports.
    ports: [8091,8093]

    # Uncomment the following to hide certain parameters in URL or forms attached
    # to HTTP requests. The names of the parameters are case insensitive.
    # The value of the parameters will be replaced with the 'xxxxx' string.
    # This is generally useful for avoiding storing user passwords or other
    # sensitive information.
    # Only query parameters and top level form parameters are replaced.
    # hide_keywords: ['pass', 'password', 'passwd']

  memcache:
    # Configure the ports where to listen for memcache traffic. You can disable
    # the memcache protocol by commenting out the list of ports.
    ports: [11211]

    # Uncomment the parseunknown option to force the memcache text protocol parse
    # to parse unknown commands.
    # Default: false
    # Note: All unknown commands MUST not contain any data parts!
    # parseunknown: true


    # Update the maxvalue option to store the values - base64 encoded - in the
    # json output.
    # possible values:
    #    maxvalue: -1  # store all values (text based protocol multi-get)
    #    maxvalue: 0   # store no values at all (default)
    #    maxvalue: N   # store up to N values
    # maxvalues: 0

    # Use maxbytespervalue to limit the number of bytes to be copied per value element.
    # Notes: values will be base64 encoded, so actual size in json document
    #        will be 4 times maxbytespervalue
    #
    # Default: unlimited
    # maxbytespervalue: 100

    # Udp transaction timeout in milliseconds.
    # Default: 200
    # Note: Quiet messages in UDP binary protocol will get response only in error case.
    #       The memcached analyzer will wait for udptransactiontimeout
    #       milliseconds before publishing quiet messages.
    #       Non quiet messages or quiet requests with error response will not
    #       have to wait for the timeout
    # udptransactiontimeout: 200
mysql:
    # Configure the ports where to listen for MySQL traffic. You can disable
    # the MySQL protocol by commenting out the list of ports.
    ports: [3306]

  pgsql:

    # Configure the ports where to listen for Pgsql traffic. You can disable
    # the Pgsql protocol by commenting out the list of ports.
    ports: [5432]

  redis:

    # Configure the ports where to listen for Redis traffic. You can disable
    # the Redis protocol by commenting out the list of ports.
    ports: [6379]

  thrift:

    # Configure the ports where to listen for Thrift traffic. You can disable
    # the Thrift protocol by commenting out the list of ports.
    ports: [9090]

  mongodb:
    # Configure the ports where to listen for Mongodb traffic. You can disable
    # the Mongodb protocol by commenting out the list of ports.
    ports: [27017]

andrewkroh · October 21, 2015, 1:21am

@Prerna_Manaktala, the output you provided looks normal. I suggest you also add the -e flag so that logging continues to go to stderr. So did you not get the CRIT Initializing sniffer failed: Error creating decoder: Unsuported link type: UnknownLinkType(12) error this time?

Prerna_Manaktala · October 21, 2015, 3:54am

Yes I dont see the error now.
But I dont know how to use it for testing code coverage of my python tests for this golang repo:

lindsayshow · June 6, 2016, 11:59am

how to solve this problem? I'm also meeting this problem on osx.
make
./packbeat
and then get the CRIT Initializing sniffer failed: Error creating decoder: Unsuported link type: UnknownLinkType(12) error
looking forward your reply.

steffens · June 6, 2016, 2:10pm

can you attach your config and logs?

lindsayshow · June 20, 2016, 5:55am

hi,
the config is right../packetbeat -e
2016/06/20 05:47:42.127069 beat.go:336: CRIT Exiting: Initializing sniffer failed: Error creating decoder: Unsupported link type: UnknownLinkType(12)
But the in /libbeat/beat/beat.go ，there's only 325 lines codes.Very strange for this problem

steffens · June 20, 2016, 9:52am

Can you please share your config? Would like to start packetbeat using said config, trying to reproduce issue locally.

On OS X I noted LinkType 12 being used (which is even undefined in libpcap) sometimes if the device configured was wrong (like did not really exist or was no ethernet device).

lindsayshow · June 21, 2016, 1:52am

In fact，I use this config to test packetbeat-1.2.3,and the result is ok.like this:
./packetbeat -d "http" -I testhttp.pcap -N -e
and on mac osx , I have modifed the device as "en0"
But,in packetbeat(the source code,and develop myown protocols),the error occurs.

lindsayshow · June 21, 2016, 6:37am

anyway，thanks a lot.I have solved this problem.

steffens · June 21, 2016, 9:18am

How did you solve it? Was the problem due to packetbeat.yml in sourcecode uses device 'any' by default?

lindsayshow · June 21, 2016, 10:07am

oh,no,my config uses device "eno" .
in the packetbeat.yml,set like this
template.overwrite: true
and the problem above is solved.
thanks