[Snort-users] Problem with Snort3 multi-threaded on FreeBSD

Michael Altizer mialtize at cisco.com
Fri Dec 1 15:19:55 EST 2017


On 11/30/2017 12:14 PM, Dalten 22 via Snort-users wrote:
> FreeBSD 11.1 amd64 - 4 cores
> DAQ: Netmap
>
> Background:  I have Snort3 is running very well with the following 
> command:  snort -c /opt/snort/etc/snort/snort.lua -i igb0:igb1 --daq 
> netmap -Q -u snort -g snort &
>
> While that works well enough, if I tell it to use 4 threads like so, I 
> get some errors in the console after about 10 seconds.
>
> snort -c /opt/snort/etc/snort/snort.lua -i igb0:igb1 --daq netmap -Q 
> -u snort -g snort -z 4 &
>
> Commencing packet processing
> ++ [0] igb0:igb1
> ++ [1] igb0:igb1
> ++ [2] igb0:igb1
> ++ [3] igb0:igb1
> Set GID to 8888
> Set UID to 8888
> Can't acquire (-1) - netmap_daq_acquire: Encountered error condition 
> on a packet socket
> -- [1] igb0:igb1
> Can't acquire (-1) - netmap_daq_acquire: Encountered error condition 
> on a packet socket
> -- [2] igb0:igb1
> Can't acquire (-1) - netmap_daq_acquire: Encountered error condition 
> on a packet socket
> -- [0] igb0:igb1
>
> Snort3 still runs but top only reports it's using 2 threads, the same 
> as if you don't specify -z.
>
> Thank you,
>
> Aaron

The current Snort multiple packet threads solution still must 
instantiate a DAQ module instance in each packet thread to use as its 
packet source (no internal loadbalancing solution).  This means that 
each packet thread must follow the same rules as a Snort 2 instance 
would when it comes to opening the packet source.  So, just like if you 
tried to run four Snort 2 instances all trying to use the same two 
netmap interfaces, the second through fourth attempts to open those 
"busy" interfaces will fail.  I haven't kept up with netmap - if they 
have implemented something like AFPacket's fan-out loadbalancing 
functionality, the DAQ module could potentially be enhanced to support 
that and then be able to open the interfaces multiple times (with 
different loadbalancing IDs or something conceptually similar) as the 
afpacket DAQ module was.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171201/23d9c947/attachment.html>


More information about the Snort-users mailing list