Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: afpacket DAQ - large "Outstanding" number/percent

From: Jason Wallace <jason.r.wallace () gmail com>
Date: Tue, 19 Oct 2010 09:11:34 -0400
I'll test the patch, but I might not get to it today.

Reproducible: Always
Traffic Rate: 5-8Mb/s (if that)
BPF: None

snort.conf contains:
config daq: afpacket
config daq_mode: passive
config daq_dir: /usr/lib64/daq/

Command Line: Using "snort -c ./snort.conf -dev" works fine
===============================================================================
Run time for packet processing was 40.730405 seconds
Snort processed 45786 packets.
Snort ran for 0 days 0 hours 0 minutes 40 seconds
   Pkts/sec:         1144
===============================================================================
Packet I/O Totals:
   Received:        55240
   Analyzed:        45786 ( 82.886%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:         9454 ( 17.114%)
   Injected:            0
===============================================================================

Command Line: Using "snort -c ./snort.conf" does NOT seem to work

Also, the "Received" number seems too high for the amount of time I ran snort.

^CCan't acquire (-1) - afpacket_daq_acquire: Poll failed: Interrupted
system call!
===============================================================================
Packet I/O Totals:
   Received:       139172
   Analyzed:       139204 (100.023%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding: 18446744073709551584 (13254637480031582.000%)
   Injected:            0
===============================================================================

I have attached my snort.conf also. It is stripped down because this
sensor is currently being used for testing. Only running 5 custom
rules.

Snort Build time options:
--enable-shared --disable-static --enable-dynamicplugin --disable-ipv6
--enable-zlib --disable-gre --disable-mpls --disable-targetbased
--enable-decoder-preprocessor-rules --enable-ppm
--enable-perfprofiling --enable-linux-smp-stats
--disable-inline-init-failopen --disable-prelude --enable-pthread
--disable-debug --disable-debug-msgs --disable-corefiles
--disable-active-response --disable-normalizer --enable-reload
--enable-reload-error-restart --disable-react --disable-flexresp3
--disable-aruba --without-mysql --without-odbc --without-postgresql
--disable-build-dynamic-examples --disable-profile --disable-ppm-test
--disable-dlclose --disable-intel-soft-cpm --disable-static-daq
--without-oracle

DAQ build time options:
--disable-ipv6 --enable-pcap-module --enable-afpacket-module
--enable-dump-module --disable-ipfw-module --disable-bundled-modules

System Info:
- Strictly a 64 bit system. No 32 bit binaries/libs at all.
- Gentoo Linux
- Linux XXXXXX 2.6.32-hardened-r9 #1 SMP Thu Jul 8 16:28:11 EDT 2010
x86_64 Intel(R) Xeon(TM) CPU 3.00GHz GenuineIntel GNU/Linux
- gcc version 4.4.4

Let me know if there is any other info you need.

thx,
Wally

On Tue, Oct 19, 2010 at 1:06 AM, Michael Altizer <xiche () verizon net> wrote:

 Could you please try applying the attached patch[1] and confirming that the
issue still exists?  (This brings it up to the current status of the next
release and fixes some rather significant issues, but does nothing to
directly address the issue that you are seeing.)  Also, how reproducible is
the issue?  What's the approximate traffic rate when this occurs?  What does
your BPF look like?  What does your command line look like (inline mode,
etc)?

In case you're wondering how the math works out, it's something like this:
1. Kernel reports 650083 packets received on the AFPacket buffer rings when
queried.
2. DAQ module reports 24754 packets received in its acquire loop and passed
to Snort.
3. DAQ module reports 625332 packets received in its acquire loop and
fastpathed by the BPF.
4. Outstanding packets is (uint64_t) (650083 - 24754 - 625332) which is
(uint64_t) (-3) which is 18446744073709551613.

So the kernel is reporting it has received three fewer packets than the DAQ
has seen, which is a tad disconcerting.

-Michael

[1] patch daq-0.2/os-daq/modules/daq_afpacket.c afpacket-v3.diff

On 10/15/2010 10:49 PM, Jason Wallace wrote:


~ # snort --daq-dir /usr/lib64/daq/ --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v2): live inline multi unpriv


On Fri, Oct 15, 2010 at 2:07 AM, Michael Altizer<xiche () verizon net>
 wrote:


 On 10/13/2010 03:11 PM, Jason Wallace wrote:


Is anyone else seeing a strange "Outstanding" number/percent after
exiting when using afpacket in passive mode? It only seems to occur in
daemon mode (-D).


Oct 13 15:05:46  snort[1331]: Can't acquire (-1) -
afpacket_daq_acquire: Poll failed: Interrupted system call!
Oct 13 15:05:47 snort[1331]:

===============================================================================
Oct 13 15:05:47 snort[1331]: Packet I/O Totals:
Oct 13 15:05:47 snort[1331]:    Received:       650083
Oct 13 15:05:47 snort[1331]:    Analyzed:        24754 (  3.808%)
Oct 13 15:05:47 snort[1331]:     Dropped:            0 (  0.000%)
Oct 13 15:05:47 snort[1331]:    Filtered:       625332 ( 96.193%)
Oct 13 15:05:47 snort[1331]: Outstanding: 18446744073709551613
(2837598287250944.000%)
Oct 13 15:05:47 snort[1331]:    Injected:            0
Oct 13 15:05:47 snort[1331]:

===============================================================================


snort # snort -V

    ,,_     -*>    Snort!<*-
   o"  )~   Version 2.9.0 (Build 68)
    ''''    By Martin Roesch&    The Snort Team:
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
            Using libpcap version 1.0.0
            Using PCRE version: 7.9 2009-04-11
            Using ZLIB version: 1.2.3


thx,
Wally


Hi,

Please confirm that you are using the 0.2 release of LibDAQ.  There were
changes to the AFPacket code between 0.1 and 0.2 that fixed an issue
with this symptom.  You can check the version of the AFPacket DAQ module
by passing the --daq-list switch to Snort; it should be v2 if it is from
the 0.2 release.

-Michael


------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Attachment: snort.conf
Description: 

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: