[Snort-users] afpacket DAQ - large "Outstanding" number/percent

Jason Wallace jason.r.wallace at ...11827...
Fri Oct 15 22:49:08 EDT 2010


~ # snort --daq-dir /usr/lib64/daq/ --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v2): live inline multi unpriv


On Fri, Oct 15, 2010 at 2:07 AM, Michael Altizer <xiche at ...3147...> wrote:
>  On 10/13/2010 03:11 PM, Jason Wallace wrote:
>> Is anyone else seeing a strange "Outstanding" number/percent after
>> exiting when using afpacket in passive mode? It only seems to occur in
>> daemon mode (-D).
>>
>>
>> Oct 13 15:05:46  snort[1331]: Can't acquire (-1) -
>> afpacket_daq_acquire: Poll failed: Interrupted system call!
>> Oct 13 15:05:47 snort[1331]:
>> ===============================================================================
>> Oct 13 15:05:47 snort[1331]: Packet I/O Totals:
>> Oct 13 15:05:47 snort[1331]:    Received:       650083
>> Oct 13 15:05:47 snort[1331]:    Analyzed:        24754 (  3.808%)
>> Oct 13 15:05:47 snort[1331]:     Dropped:            0 (  0.000%)
>> Oct 13 15:05:47 snort[1331]:    Filtered:       625332 ( 96.193%)
>> Oct 13 15:05:47 snort[1331]: Outstanding: 18446744073709551613
>> (2837598287250944.000%)
>> Oct 13 15:05:47 snort[1331]:    Injected:            0
>> Oct 13 15:05:47 snort[1331]:
>> ===============================================================================
>>
>>
>> snort # snort -V
>>
>>     ,,_     -*>  Snort!<*-
>>    o"  )~   Version 2.9.0 (Build 68)
>>     ''''    By Martin Roesch&  The Snort Team:
>> http://www.snort.org/snort/snort-team
>>             Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>             Using libpcap version 1.0.0
>>             Using PCRE version: 7.9 2009-04-11
>>             Using ZLIB version: 1.2.3
>>
>>
>> thx,
>> Wally
> Hi,
>
> Please confirm that you are using the 0.2 release of LibDAQ.  There were
> changes to the AFPacket code between 0.1 and 0.2 that fixed an issue
> with this symptom.  You can check the version of the AFPacket DAQ module
> by passing the --daq-list switch to Snort; it should be v2 if it is from
> the 0.2 release.
>
> -Michael
>
> ------------------------------------------------------------------------------
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list