[Snort-devel] var PKT_TIMEOUT in sfdaq.c

Russ Combs rcombs at ...402...
Wed Feb 29 18:05:33 EST 2012


You should post your question on snort-users or wherever the PFRING DAQ is
supported.

On Wed, Feb 29, 2012 at 6:01 PM, Guillaume Daleux <
guillaume.daleux at ...1967...> wrote:

> Hi,****
>
> ** **
>
> Thanks for your answer, I understand why you used a positive timeout with
> Idle functions.****
>
> ** **
>
> We use snort 2.9.2.1 with daq 0.6.2 and pfring daq module. I spoke about
> heisenbug bug because the problem arrived just when we launched snort with
> svc program and it stopped when we printed a debug line in pfring daq
> module.****
>
> ** **
>
> Thanks****
>
>
> Guillaume DALEUX****
>
> ** **
>
> ** **
>
> *From:* Russ Combs [mailto:rcombs at ...402...]
> *Sent:* Wednesday, February 29, 2012 5:29 PM
> *To:* Michael Altizer
> *Cc:* snort-devel at lists.sourceforge.net
> *Subject:* Re: [Snort-devel] var PKT_TIMEOUT in sfdaq.c****
>
> ** **
>
> ** **
>
> On Wed, Feb 29, 2012 at 5:22 PM, Michael Altizer <maltizer at ...402...>
> wrote:****
>
> On 02/29/2012 05:00 PM, Guillaume Daleux wrote: ****
>
> Hi all,****
>
>  ****
>
> We had some problems with snort and snort daq which use 100% of processing
> power. After debugging, we saw that our system had a lot of call to poll
> function.****
>
>  ****
>
> The function poll (call in daq) set with a default snort parameter
> (PKT_TIMEOUT = 1000) is called everytime and didn't respect this timeout of
> 1 second (maybe heisenbug because only one printf removed this problem).**
> **
>
>  ****
>
> We want to ask you, why this parameter is set to 1000 ms and not -1 ? The
> poll function is called to wait packets so why the snort daq uses a timeout
> and not directly value -1 which would block until a packet arrive ?****
>
>  ****
>
> Can we patch snort and change PKT_TIMEOUT to -1 ?****
>
>  ****
>
>  ****
>
> Thanks for your answer.****
>
>  ****
>
>  ****
>
> ** **
>
> Snort does certain "idle work" (see snort.c:SnortIdle()) each time the DAQ
> acquire call returns.  If you made the call fully blocking, it would only
> return in the case of an error/signal/breakloop, and that code would not
> execute [often enough] when the packet rate is too low.
>
> I do not know why the timeout was being ignored in your case, which seems
> to be the real issue.  You have not mentioned which DAQ module you are
> using.****
>
> ** **
>
> If you are mucking about in the code, it would help to know what the call
> to poll() is returning as well. ****
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120229/e049666e/attachment.html>


More information about the Snort-devel mailing list