Bug #1866
closedFragmented unix_dgram output
Description
I am reading EVE-alerts from a Unix datagram socket. When alerts are large enough – 4096 bytes or more – they get split up into multiple datagrams, kinda destroying the point of them in the first place.
From poking around in the source, I'm guessing this is because Suricata uses fwrite to send data to the socket instead of write, which streans the data in PIPE_BUF (=4096 bytes on Linux) chunks internally.
Relevant code:
https://github.com/inliniac/suricata/blob/271bd045396b618cd52079be17ca083c4931f87e/src/util-logopenfile.c#L143
Updated by Victor Julien over 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Jens Goldberg about 7 years ago
Since suricata now uses send() on Unix sockets, this bug is no longer an issue.
Updated by Victor Julien about 7 years ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Jason Ish
- Target version changed from TBD to 4.0beta1
Looks like this was fixed by https://github.com/OISF/suricata/commit/59b98649de2fad5594756983b3a86c940a3575c7 in the 4.0 development cycle.
Thanks for circling back!