[Snort-users] afpacket DAQ - large "Outstanding" number/percent

Michael Altizer xiche at ...3147...
Tue Oct 19 01:06:44 EDT 2010


  Could you please try applying the attached patch[1] and confirming 
that the issue still exists?  (This brings it up to the current status 
of the next release and fixes some rather significant issues, but does 
nothing to directly address the issue that you are seeing.)  Also, how 
reproducible is the issue?  What's the approximate traffic rate when 
this occurs?  What does your BPF look like?  What does your command line 
look like (inline mode, etc)?

In case you're wondering how the math works out, it's something like this:
1. Kernel reports 650083 packets received on the AFPacket buffer rings 
when queried.
2. DAQ module reports 24754 packets received in its acquire loop and 
passed to Snort.
3. DAQ module reports 625332 packets received in its acquire loop and 
fastpathed by the BPF.
4. Outstanding packets is (uint64_t) (650083 - 24754 - 625332) which is 
(uint64_t) (-3) which is 18446744073709551613.

So the kernel is reporting it has received three fewer packets than the 
DAQ has seen, which is a tad disconcerting.

-Michael

[1] patch daq-0.2/os-daq/modules/daq_afpacket.c afpacket-v3.diff

On 10/15/2010 10:49 PM, Jason Wallace wrote:
> ~ # snort --daq-dir /usr/lib64/daq/ --daq-list
> Available DAQ modules:
> pcap(v3): readback live multi unpriv
> dump(v1): readback live inline multi unpriv
> afpacket(v2): live inline multi unpriv
>
>
> On Fri, Oct 15, 2010 at 2:07 AM, Michael Altizer<xiche at ...3147...>  wrote:
>>   On 10/13/2010 03:11 PM, Jason Wallace wrote:
>>> Is anyone else seeing a strange "Outstanding" number/percent after
>>> exiting when using afpacket in passive mode? It only seems to occur in
>>> daemon mode (-D).
>>>
>>>
>>> Oct 13 15:05:46  snort[1331]: Can't acquire (-1) -
>>> afpacket_daq_acquire: Poll failed: Interrupted system call!
>>> Oct 13 15:05:47 snort[1331]:
>>> ===============================================================================
>>> Oct 13 15:05:47 snort[1331]: Packet I/O Totals:
>>> Oct 13 15:05:47 snort[1331]:    Received:       650083
>>> Oct 13 15:05:47 snort[1331]:    Analyzed:        24754 (  3.808%)
>>> Oct 13 15:05:47 snort[1331]:     Dropped:            0 (  0.000%)
>>> Oct 13 15:05:47 snort[1331]:    Filtered:       625332 ( 96.193%)
>>> Oct 13 15:05:47 snort[1331]: Outstanding: 18446744073709551613
>>> (2837598287250944.000%)
>>> Oct 13 15:05:47 snort[1331]:    Injected:            0
>>> Oct 13 15:05:47 snort[1331]:
>>> ===============================================================================
>>>
>>>
>>> snort # snort -V
>>>
>>>      ,,_     -*>    Snort!<*-
>>>     o"  )~   Version 2.9.0 (Build 68)
>>>      ''''    By Martin Roesch&    The Snort Team:
>>> http://www.snort.org/snort/snort-team
>>>              Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>              Using libpcap version 1.0.0
>>>              Using PCRE version: 7.9 2009-04-11
>>>              Using ZLIB version: 1.2.3
>>>
>>>
>>> thx,
>>> Wally
>> Hi,
>>
>> Please confirm that you are using the 0.2 release of LibDAQ.  There were
>> changes to the AFPacket code between 0.1 and 0.2 that fixed an issue
>> with this symptom.  You can check the version of the AFPacket DAQ module
>> by passing the --daq-list switch to Snort; it should be v2 if it is from
>> the 0.2 release.
>>
>> -Michael
>>
>> ------------------------------------------------------------------------------
>> Download new Adobe(R) Flash(R) Builder(TM) 4
>> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
>> Flex(R) Builder(TM)) enable the development of rich applications that run
>> across multiple browsers and platforms. Download your free trials today!
>> http://p.sf.net/sfu/adobe-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: afpacket-v3.diff
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101019/d8bbb290/attachment.ksh>


More information about the Snort-users mailing list