[Snort-devel] var PKT_TIMEOUT in sfdaq.c

Guillaume Daleux guillaume.daleux at ...1967...
Wed Feb 29 18:01:58 EST 2012



Thanks for your answer, I understand why you used a positive timeout
with Idle functions.


We use snort with daq 0.6.2 and pfring daq module. I spoke about
heisenbug bug because the problem arrived just when we launched snort
with svc program and it stopped when we printed a debug line in pfring
daq module.



Guillaume DALEUX



From: Russ Combs [mailto:rcombs at ...402...] 
Sent: Wednesday, February 29, 2012 5:29 PM
To: Michael Altizer
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] var PKT_TIMEOUT in sfdaq.c



On Wed, Feb 29, 2012 at 5:22 PM, Michael Altizer
<maltizer at ...402...> wrote:

On 02/29/2012 05:00 PM, Guillaume Daleux wrote: 

Hi all,


We had some problems with snort and snort daq which use 100% of
processing power. After debugging, we saw that our system had a lot of
call to poll function.


The function poll (call in daq) set with a default snort parameter
(PKT_TIMEOUT = 1000) is called everytime and didn't respect this timeout
of 1 second (maybe heisenbug because only one printf removed this


We want to ask you, why this parameter is set to 1000 ms and not -1 ?
The poll function is called to wait packets so why the snort daq uses a
timeout and not directly value -1 which would block until a packet
arrive ?


Can we patch snort and change PKT_TIMEOUT to -1 ?



Thanks for your answer.




Snort does certain "idle work" (see snort.c:SnortIdle()) each time the
DAQ acquire call returns.  If you made the call fully blocking, it would
only return in the case of an error/signal/breakloop, and that code
would not execute [often enough] when the packet rate is too low.

I do not know why the timeout was being ignored in your case, which
seems to be the real issue.  You have not mentioned which DAQ module you
are using.


If you are mucking about in the code, it would help to know what the
call to poll() is returning as well. 

	Virtualization & Cloud Management Using Capacity Planning
	Cloud computing makes use of virtualization - but cloud
	also focuses on allowing computing to be delivered as a service.
	Snort-devel mailing list
	Snort-devel at lists.sourceforge.net
	Please visit http://blog.snort.org for the latest news about


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120229/2e51a526/attachment.html>

More information about the Snort-devel mailing list