[Snort-users] afpacket DAQ - large "Outstanding" number/percent

Michael Altizer xiche at ...3147...
Fri Oct 15 02:07:07 EDT 2010


  On 10/13/2010 03:11 PM, Jason Wallace wrote:
> Is anyone else seeing a strange "Outstanding" number/percent after
> exiting when using afpacket in passive mode? It only seems to occur in
> daemon mode (-D).
>
>
> Oct 13 15:05:46  snort[1331]: Can't acquire (-1) -
> afpacket_daq_acquire: Poll failed: Interrupted system call!
> Oct 13 15:05:47 snort[1331]:
> ===============================================================================
> Oct 13 15:05:47 snort[1331]: Packet I/O Totals:
> Oct 13 15:05:47 snort[1331]:    Received:       650083
> Oct 13 15:05:47 snort[1331]:    Analyzed:        24754 (  3.808%)
> Oct 13 15:05:47 snort[1331]:     Dropped:            0 (  0.000%)
> Oct 13 15:05:47 snort[1331]:    Filtered:       625332 ( 96.193%)
> Oct 13 15:05:47 snort[1331]: Outstanding: 18446744073709551613
> (2837598287250944.000%)
> Oct 13 15:05:47 snort[1331]:    Injected:            0
> Oct 13 15:05:47 snort[1331]:
> ===============================================================================
>
>
> snort # snort -V
>
>     ,,_     -*>  Snort!<*-
>    o"  )~   Version 2.9.0 (Build 68)
>     ''''    By Martin Roesch&  The Snort Team:
> http://www.snort.org/snort/snort-team
>             Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>             Using libpcap version 1.0.0
>             Using PCRE version: 7.9 2009-04-11
>             Using ZLIB version: 1.2.3
>
>
> thx,
> Wally
Hi,

Please confirm that you are using the 0.2 release of LibDAQ.  There were 
changes to the AFPacket code between 0.1 and 0.2 that fixed an issue 
with this symptom.  You can check the version of the AFPacket DAQ module 
by passing the --daq-list switch to Snort; it should be v2 if it is from 
the 0.2 release.

-Michael




More information about the Snort-users mailing list