Project

General

Profile

Actions

Bug #1866

closed

Fragmented unix_dgram output

Added by Jens Goldberg over 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I am reading EVE-alerts from a Unix datagram socket. When alerts are large enough – 4096 bytes or more – they get split up into multiple datagrams, kinda destroying the point of them in the first place.

From poking around in the source, I'm guessing this is because Suricata uses fwrite to send data to the socket instead of write, which streans the data in PIPE_BUF (=4096 bytes on Linux) chunks internally.

Relevant code:
https://github.com/inliniac/suricata/blob/271bd045396b618cd52079be17ca083c4931f87e/src/util-logopenfile.c#L143

Actions #1

Updated by Victor Julien over 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Jens Goldberg about 5 years ago

Since suricata now uses send() on Unix sockets, this bug is no longer an issue.

Actions #3

Updated by Victor Julien about 5 years ago

  • Status changed from New to Closed
  • Assignee changed from OISF Dev to Jason Ish
  • Target version changed from TBD to 4.0beta1

Looks like this was fixed by https://github.com/OISF/suricata/commit/59b98649de2fad5594756983b3a86c940a3575c7 in the 4.0 development cycle.

Thanks for circling back!

Actions

Also available in: Atom PDF