Snort mailing list archives
Re: var PKT_TIMEOUT in sfdaq.c
From: "Guillaume Daleux" <guillaume.daleux () abovesecurity com>
Date: Wed, 29 Feb 2012 18:01:58 -0500
Hi, Thanks for your answer, I understand why you used a positive timeout with Idle functions. We use snort 2.9.2.1 with daq 0.6.2 and pfring daq module. I spoke about heisenbug bug because the problem arrived just when we launched snort with svc program and it stopped when we printed a debug line in pfring daq module. Thanks Guillaume DALEUX From: Russ Combs [mailto:rcombs () sourcefire com] Sent: Wednesday, February 29, 2012 5:29 PM To: Michael Altizer Cc: snort-devel () lists sourceforge net Subject: Re: [Snort-devel] var PKT_TIMEOUT in sfdaq.c On Wed, Feb 29, 2012 at 5:22 PM, Michael Altizer <maltizer () sourcefire com> wrote: On 02/29/2012 05:00 PM, Guillaume Daleux wrote: Hi all, We had some problems with snort and snort daq which use 100% of processing power. After debugging, we saw that our system had a lot of call to poll function. The function poll (call in daq) set with a default snort parameter (PKT_TIMEOUT = 1000) is called everytime and didn't respect this timeout of 1 second (maybe heisenbug because only one printf removed this problem). We want to ask you, why this parameter is set to 1000 ms and not -1 ? The poll function is called to wait packets so why the snort daq uses a timeout and not directly value -1 which would block until a packet arrive ? Can we patch snort and change PKT_TIMEOUT to -1 ? Thanks for your answer. Snort does certain "idle work" (see snort.c:SnortIdle()) each time the DAQ acquire call returns. If you made the call fully blocking, it would only return in the case of an error/signal/breakloop, and that code would not execute [often enough] when the packet rate is too low. I do not know why the timeout was being ignored in your case, which seems to be the real issue. You have not mentioned which DAQ module you are using. If you are mucking about in the code, it would help to know what the call to poll() is returning as well. ------------------------------------------------------------------------ ------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Invalid protocol name for "ip_proto" rule option: "igmp" Lukas Matt (Feb 24)
- Re: Invalid protocol name for "ip_proto" rule option: "igmp" Joel Esler (Feb 24)
- var PKT_TIMEOUT in sfdaq.c Guillaume Daleux (Feb 29)
- Re: var PKT_TIMEOUT in sfdaq.c Michael Altizer (Feb 29)
- Re: var PKT_TIMEOUT in sfdaq.c Russ Combs (Feb 29)
- Re: var PKT_TIMEOUT in sfdaq.c Guillaume Daleux (Feb 29)
- Re: var PKT_TIMEOUT in sfdaq.c Russ Combs (Feb 29)
- var PKT_TIMEOUT in sfdaq.c Guillaume Daleux (Feb 29)
- Re: Invalid protocol name for "ip_proto" rule option: "igmp" Joel Esler (Feb 24)