Project

General

Profile

Actions

Bug #1043

closed

Different results for the same input pcap file in autofp mode

Added by Amin Latifi about 11 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

I run suricata-1.4.6 with the same pcap file for two times and the outputs are not equal. Actually, I compare fast.log outputs and while the number of lines are equal, some lines which are in first fast.log output don't appear in the second one and vice versa. Specifically, the run mode was autofp; and I removed time stamps from all output lines, sort them and compared them. Surprisingly, there are some IP's in each output which don't appear in other one.
The pcapfile with which I tested suricata is ctf08_1228495450_eth1 of https://ictf.cs.ucsb.edu/data/ictf2008/ctf08_traffic.tgz

I attached two fast.log output files.


Files

fast.log.zip (210 KB) fast.log.zip Amin Latifi, 11/23/2013 12:47 AM
Actions #1

Updated by Peter Manev about 11 years ago

What is your run line?

Did you change any suricata.yaml settings between the runs ?

Can you reproduce the issue with a pcap smaller than 2.9GB ?

Actions #2

Updated by Amin Latifi about 11 years ago

For example line 2085 of 1.log does not exist in 2.log file.There are too many difference between this two file. I used below lines and watched the difference between two sorted files.

cat 1.log | cut -f2- -d' ' | sort > sort_1.log
cat 2.log | cut -f2- -d' ' | sort > sort_2.log

The point is that the number of lines in both files are equal!

No, I used same suricata.yaml file for both of runs.

No, I don't have other traffic file available for testing.

Actions #3

Updated by Victor Julien about 11 years ago

  • Assignee deleted (Anonymous)
  • Target version deleted (1.4)
Actions #4

Updated by Andreas Herz over 8 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF