Bug #1043
closedDifferent results for the same input pcap file in autofp mode
Description
I run suricata-1.4.6 with the same pcap file for two times and the outputs are not equal. Actually, I compare fast.log outputs and while the number of lines are equal, some lines which are in first fast.log output don't appear in the second one and vice versa. Specifically, the run mode was autofp; and I removed time stamps from all output lines, sort them and compared them. Surprisingly, there are some IP's in each output which don't appear in other one.
The pcapfile with which I tested suricata is ctf08_1228495450_eth1 of https://ictf.cs.ucsb.edu/data/ictf2008/ctf08_traffic.tgz
I attached two fast.log output files.
Files
Updated by Peter Manev over 10 years ago
What is your run line?
Did you change any suricata.yaml settings between the runs ?
Can you reproduce the issue with a pcap smaller than 2.9GB ?
Updated by Amin Latifi over 10 years ago
For example line 2085 of 1.log does not exist in 2.log file.There are too many difference between this two file. I used below lines and watched the difference between two sorted files.
cat 1.log | cut -f2- -d' ' | sort > sort_1.log cat 2.log | cut -f2- -d' ' | sort > sort_2.log
The point is that the number of lines in both files are equal!
No, I used same suricata.yaml file for both of runs.
No, I don't have other traffic file available for testing.
Updated by Victor Julien over 10 years ago
- Assignee deleted (
Anonymous) - Target version deleted (
1.4)