[Snort-users] afpacket DAQ - large "Outstanding" number/percent

Jason Wallace jason.r.wallace at ...11827...
Tue Oct 19 09:11:34 EDT 2010


I'll test the patch, but I might not get to it today.

Reproducible: Always
Traffic Rate: 5-8Mb/s (if that)
BPF: None

snort.conf contains:
config daq: afpacket
config daq_mode: passive
config daq_dir: /usr/lib64/daq/

Command Line: Using "snort -c ./snort.conf -dev" works fine
===============================================================================
Run time for packet processing was 40.730405 seconds
Snort processed 45786 packets.
Snort ran for 0 days 0 hours 0 minutes 40 seconds
   Pkts/sec:         1144
===============================================================================
Packet I/O Totals:
   Received:        55240
   Analyzed:        45786 ( 82.886%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:         9454 ( 17.114%)
   Injected:            0
===============================================================================

Command Line: Using "snort -c ./snort.conf" does NOT seem to work

Also, the "Received" number seems too high for the amount of time I ran snort.

^CCan't acquire (-1) - afpacket_daq_acquire: Poll failed: Interrupted
system call!
===============================================================================
Packet I/O Totals:
   Received:       139172
   Analyzed:       139204 (100.023%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding: 18446744073709551584 (13254637480031582.000%)
   Injected:            0
===============================================================================

I have attached my snort.conf also. It is stripped down because this
sensor is currently being used for testing. Only running 5 custom
rules.

Snort Build time options:
--enable-shared --disable-static --enable-dynamicplugin --disable-ipv6
--enable-zlib --disable-gre --disable-mpls --disable-targetbased
--enable-decoder-preprocessor-rules --enable-ppm
--enable-perfprofiling --enable-linux-smp-stats
--disable-inline-init-failopen --disable-prelude --enable-pthread
--disable-debug --disable-debug-msgs --disable-corefiles
--disable-active-response --disable-normalizer --enable-reload
--enable-reload-error-restart --disable-react --disable-flexresp3
--disable-aruba --without-mysql --without-odbc --without-postgresql
--disable-build-dynamic-examples --disable-profile --disable-ppm-test
--disable-dlclose --disable-intel-soft-cpm --disable-static-daq
--without-oracle

DAQ build time options:
--disable-ipv6 --enable-pcap-module --enable-afpacket-module
--enable-dump-module --disable-ipfw-module --disable-bundled-modules

System Info:
- Strictly a 64 bit system. No 32 bit binaries/libs at all.
- Gentoo Linux
- Linux XXXXXX 2.6.32-hardened-r9 #1 SMP Thu Jul 8 16:28:11 EDT 2010
x86_64 Intel(R) Xeon(TM) CPU 3.00GHz GenuineIntel GNU/Linux
- gcc version 4.4.4

Let me know if there is any other info you need.

thx,
Wally

On Tue, Oct 19, 2010 at 1:06 AM, Michael Altizer <xiche at ...3147...> wrote:
>  Could you please try applying the attached patch[1] and confirming that the
> issue still exists?  (This brings it up to the current status of the next
> release and fixes some rather significant issues, but does nothing to
> directly address the issue that you are seeing.)  Also, how reproducible is
> the issue?  What's the approximate traffic rate when this occurs?  What does
> your BPF look like?  What does your command line look like (inline mode,
> etc)?
>
> In case you're wondering how the math works out, it's something like this:
> 1. Kernel reports 650083 packets received on the AFPacket buffer rings when
> queried.
> 2. DAQ module reports 24754 packets received in its acquire loop and passed
> to Snort.
> 3. DAQ module reports 625332 packets received in its acquire loop and
> fastpathed by the BPF.
> 4. Outstanding packets is (uint64_t) (650083 - 24754 - 625332) which is
> (uint64_t) (-3) which is 18446744073709551613.
>
> So the kernel is reporting it has received three fewer packets than the DAQ
> has seen, which is a tad disconcerting.
>
> -Michael
>
> [1] patch daq-0.2/os-daq/modules/daq_afpacket.c afpacket-v3.diff
>
> On 10/15/2010 10:49 PM, Jason Wallace wrote:
>>
>> ~ # snort --daq-dir /usr/lib64/daq/ --daq-list
>> Available DAQ modules:
>> pcap(v3): readback live multi unpriv
>> dump(v1): readback live inline multi unpriv
>> afpacket(v2): live inline multi unpriv
>>
>>
>> On Fri, Oct 15, 2010 at 2:07 AM, Michael Altizer<xiche at ...3147...>
>>  wrote:
>>>
>>>  On 10/13/2010 03:11 PM, Jason Wallace wrote:
>>>>
>>>> Is anyone else seeing a strange "Outstanding" number/percent after
>>>> exiting when using afpacket in passive mode? It only seems to occur in
>>>> daemon mode (-D).
>>>>
>>>>
>>>> Oct 13 15:05:46  snort[1331]: Can't acquire (-1) -
>>>> afpacket_daq_acquire: Poll failed: Interrupted system call!
>>>> Oct 13 15:05:47 snort[1331]:
>>>>
>>>> ===============================================================================
>>>> Oct 13 15:05:47 snort[1331]: Packet I/O Totals:
>>>> Oct 13 15:05:47 snort[1331]:    Received:       650083
>>>> Oct 13 15:05:47 snort[1331]:    Analyzed:        24754 (  3.808%)
>>>> Oct 13 15:05:47 snort[1331]:     Dropped:            0 (  0.000%)
>>>> Oct 13 15:05:47 snort[1331]:    Filtered:       625332 ( 96.193%)
>>>> Oct 13 15:05:47 snort[1331]: Outstanding: 18446744073709551613
>>>> (2837598287250944.000%)
>>>> Oct 13 15:05:47 snort[1331]:    Injected:            0
>>>> Oct 13 15:05:47 snort[1331]:
>>>>
>>>> ===============================================================================
>>>>
>>>>
>>>> snort # snort -V
>>>>
>>>>     ,,_     -*>    Snort!<*-
>>>>    o"  )~   Version 2.9.0 (Build 68)
>>>>     ''''    By Martin Roesch&    The Snort Team:
>>>> http://www.snort.org/snort/snort-team
>>>>             Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>>             Using libpcap version 1.0.0
>>>>             Using PCRE version: 7.9 2009-04-11
>>>>             Using ZLIB version: 1.2.3
>>>>
>>>>
>>>> thx,
>>>> Wally
>>>
>>> Hi,
>>>
>>> Please confirm that you are using the 0.2 release of LibDAQ.  There were
>>> changes to the AFPacket code between 0.1 and 0.2 that fixed an issue
>>> with this symptom.  You can check the version of the AFPacket DAQ module
>>> by passing the --daq-list switch to Snort; it should be v2 if it is from
>>> the 0.2 release.
>>>
>>> -Michael
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download new Adobe(R) Flash(R) Builder(TM) 4
>>> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
>>> Flex(R) Builder(TM)) enable the development of rich applications that run
>>> across multiple browsers and platforms. Download your free trials today!
>>> http://p.sf.net/sfu/adobe-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 2730 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101019/82107f1a/attachment.obj>


More information about the Snort-users mailing list