Snort mailing list archives
Re: afpacket DAQ - large "Outstanding" number/percent
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 15 Oct 2010 22:49:08 -0400
~ # snort --daq-dir /usr/lib64/daq/ --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv dump(v1): readback live inline multi unpriv afpacket(v2): live inline multi unpriv On Fri, Oct 15, 2010 at 2:07 AM, Michael Altizer <xiche () verizon net> wrote:
On 10/13/2010 03:11 PM, Jason Wallace wrote:Is anyone else seeing a strange "Outstanding" number/percent after exiting when using afpacket in passive mode? It only seems to occur in daemon mode (-D). Oct 13 15:05:46 snort[1331]: Can't acquire (-1) - afpacket_daq_acquire: Poll failed: Interrupted system call! Oct 13 15:05:47 snort[1331]: =============================================================================== Oct 13 15:05:47 snort[1331]: Packet I/O Totals: Oct 13 15:05:47 snort[1331]: Received: 650083 Oct 13 15:05:47 snort[1331]: Analyzed: 24754 ( 3.808%) Oct 13 15:05:47 snort[1331]: Dropped: 0 ( 0.000%) Oct 13 15:05:47 snort[1331]: Filtered: 625332 ( 96.193%) Oct 13 15:05:47 snort[1331]: Outstanding: 18446744073709551613 (2837598287250944.000%) Oct 13 15:05:47 snort[1331]: Injected: 0 Oct 13 15:05:47 snort[1331]: =============================================================================== snort # snort -V ,,_ -*> Snort!<*- o" )~ Version 2.9.0 (Build 68) '''' By Martin Roesch& The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.9 2009-04-11 Using ZLIB version: 1.2.3 thx, WallyHi, Please confirm that you are using the 0.2 release of LibDAQ. There were changes to the AFPacket code between 0.1 and 0.2 that fixed an issue with this symptom. You can check the version of the AFPacket DAQ module by passing the --daq-list switch to Snort; it should be v2 if it is from the 0.2 release. -Michael ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- afpacket DAQ - large "Outstanding" number/percent Jason Wallace (Oct 13)
- Re: afpacket DAQ - large "Outstanding" number/percent Randal T. Rioux (Oct 13)
- Re: afpacket DAQ - large "Outstanding" number/percent Michael Altizer (Oct 14)
- Re: afpacket DAQ - large "Outstanding" number/percent Jason Wallace (Oct 15)
- Re: afpacket DAQ - large "Outstanding" number/percent Michael Altizer (Oct 18)
- Re: afpacket DAQ - large "Outstanding" number/percent Jason Wallace (Oct 19)
- Re: afpacket DAQ - large "Outstanding" number/percent Jason Wallace (Nov 02)
- Re: afpacket DAQ - large "Outstanding" number/percent Jason Wallace (Oct 15)