Snort mailing list archives
Re: var PKT_TIMEOUT in sfdaq.c
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 29 Feb 2012 17:28:32 -0500
On Wed, Feb 29, 2012 at 5:22 PM, Michael Altizer <maltizer () sourcefire com>wrote:
On 02/29/2012 05:00 PM, Guillaume Daleux wrote: Hi all,**** ** ** We had some problems with snort and snort daq which use 100% of processing power. After debugging, we saw that our system had a lot of call to poll function.**** ** ** The function poll (call in daq) set with a default snort parameter (PKT_TIMEOUT = 1000) is called everytime and didn't respect this timeout of 1 second (maybe heisenbug because only one printf removed this problem).** ** ** ** We want to ask you, why this parameter is set to 1000 ms and not -1 ? The poll function is called to wait packets so why the snort daq uses a timeout and not directly value -1 which would block until a packet arrive ?**** ** ** Can we patch snort and change PKT_TIMEOUT to -1 ?**** ** ** ** ** Thanks for your answer.**** ** ** ** ** Snort does certain "idle work" (see snort.c:SnortIdle()) each time the DAQ acquire call returns. If you made the call fully blocking, it would only return in the case of an error/signal/breakloop, and that code would not execute [often enough] when the packet rate is too low. I do not know why the timeout was being ignored in your case, which seems to be the real issue. You have not mentioned which DAQ module you are using.
If you are mucking about in the code, it would help to know what the call to poll() is returning as well.
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Invalid protocol name for "ip_proto" rule option: "igmp" Lukas Matt (Feb 24)
- Re: Invalid protocol name for "ip_proto" rule option: "igmp" Joel Esler (Feb 24)
- var PKT_TIMEOUT in sfdaq.c Guillaume Daleux (Feb 29)
- Re: var PKT_TIMEOUT in sfdaq.c Michael Altizer (Feb 29)
- Re: var PKT_TIMEOUT in sfdaq.c Russ Combs (Feb 29)
- Re: var PKT_TIMEOUT in sfdaq.c Guillaume Daleux (Feb 29)
- Re: var PKT_TIMEOUT in sfdaq.c Russ Combs (Feb 29)
- var PKT_TIMEOUT in sfdaq.c Guillaume Daleux (Feb 29)
- Re: Invalid protocol name for "ip_proto" rule option: "igmp" Joel Esler (Feb 24)