Bug #2225
closedwhen stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can output
Description
the stat.log
Date: 10/10/2017 -- 15:57:58 (uptime: 0d, 00h 01m 04s) ------------------------------------------------------------------------------------ Counter | TM Name | Value ------------------------------------------------------------------------------------ capture.kernel_packets | Total | 6 decoder.pkts | Total | 8 decoder.bytes | Total | 1526 decoder.invalid | Total | 1 decoder.ipv4 | Total | 8 decoder.ethernet | Total | 8 decoder.tcp | Total | 7 decoder.avg_pkt_size | Total | 190 decoder.max_pkt_size | Total | 577 flow.tcp | Total | 1 decoder.ipv4.trunc_pkt | Total | 1 tcp.sessions | Total | 1 tcp.invalid_checksum | Total | 1 tcp.syn | Total | 2 tcp.synack | Total | 2 flow.spare | Total | 10000 flow_mgr.rows_checked | Total | 65536 flow_mgr.rows_skipped | Total | 65536 tcp.memuse | Total | 573440 tcp.reassembly_memuse | Total | 81920 flow.memuse | Total | 7074592
the redis stat log:
"{\"timestamp\": \"2017-10-10T15:57:04.000180+0800\", \"event_type\": \"stats\", \"stats\": {\"uptime\": 10, \"capture\": {\"kernel_packets\": 1, \"kernel_drops\": 0}, \"decoder\": {\"pkts\": 0, \"bytes\": 0, \"invalid\": 0, \"ipv4\": 0, \"ipv6\": 0, \"ethernet\": 0, \"raw\": 0, \"null\": 0, \"sll\": 0, \"tcp\": 0, \"udp\": 0, \"sctp\": 0, \"icmpv4\": 0, \"icmpv6\": 0, \"ppp\": 0, \"pppoe\": 0, \"gre\": 0, \"vlan\": 0, \"vlan_qinq\": 0, \"teredo\": 0, \"ipv4_in_ipv6\": 0, \"ipv6_in_ipv6\": 0, \"mpls\": 0, \"avg_pkt_size\": 0, \"max_pkt_size\": 0, \"erspan\": 0, \"ipraw\": {\"invalid_ip_version\": 0}, \"ltnull\": {\"pkt_too_small\": 0, \"unsupported_type\": 0}, \"dce\": {\"pkt_too_small\": 0}}, \"flow\": {\"memcap\": 0, \"tcp\": 0, \"udp\": 0, \"icmpv4\": 0, \"icmpv6\": 0, \"spare\": 10000, \"emerg_mode_entered\": 0, \"emerg_mode_over\": 0, \"tcp_reuse\": 0, \"memuse\": 7074304}, \"defrag\": {\"ipv4\": {\"fragments\": 0, \"reassembled\": 0, \"timeouts\": 0}, \"ipv6\": {\"fragments\": 0, \"reassembled\": 0, \"timeouts\": 0}, \"max_frag_hits\": 0}, \"tcp\": {\"sessions\": 0, \"ssn_memcap_drop\": 0, \"pseudo\": 0, \"pseudo_failed\": 0, \"invalid_checksum\": 0, \"no_flow\": 0, \"syn\": 0, \"synack\": 0, \"rst\": 0, \"segment_memcap_drop\": 0, \"stream_depth_reached\": 0, \"reassembly_gap\": 0, \"overlap\": 0, \"overlap_diff_data\": 0, \"insert_data_normal_fail\": 0, \"insert_data_overlap_fail\": 0, \"insert_list_fail\": 0, \"memuse\": 573440, \"reassembly_memuse\": 81920}, \"detect\": {\"alert\": 0}, \"app_layer\": {\"flow\": {\"http\": 0, \"imap\": 0, \"msn\": 0, \"dns_tcp\": 0, \"enip\": 0, \"dnp3\": 0, \"failed_tcp\": 0, \"dns_udp\": 0, \"failed_udp\": 0}, \"tx\": {\"http\": 0, \"dns_tcp\": 0, \"dns_udp\": 0, \"enip\": 0}}, \"flow_mgr\": {\"closed_pruned\": 0, \"new_pruned\": 0, \"est_pruned\": 0, \"bypassed_pruned\": 0, \"flows_checked\": 0, \"flows_notimeout\": 0, \"flows_timeout\": 0, \"flows_timeout_inuse\": 0, \"flows_removed\": 0, \"rows_checked\": 65536, \"rows_skipped\": 65536, \"rows_empty\": 0, \"rows_busy\": 0, \"rows_maxlen\": 0}, \"file_store\": {\"open_files\": 0}, \"dns\": {\"memuse\": 0, \"memcap_state\": 0, \"memcap_global\": 0}, \"http\": {\"memuse\": 0, \"memcap\": 0}}, \"host\": \"LFG1000330219\"}"
Updated by Victor Julien about 7 years ago
- Description updated (diff)
- Priority changed from High to Normal
Updated by Sascha Steinbiss about 7 years ago
Looks like this is a result of having both decoder.ipv4
and decoder.ipv4.trunc_pkt
. Since JSON object structure is determined from the dotted counter names (interpreting them as 'paths' into the structure to construct) this would be a situation where there would be a conflict between decoder.ipv4
being created as a literal number first but one would need to make a sub-object for decoder.ipv4.trunc_pkt
.
So I guess one would either need to rename decoder.ipv4
to decoder.ipv4.count
or decoder.ipv4.trunc_pkt
to decoder.trunc_pkt.ipv4
(or something like that).
Updated by Sascha Steinbiss about 7 years ago
BTW, this could be a problem in various other places as well. Here's a list of counters where a literal value would be referred to by the same JSON key as a sub-object:
$ tail -n 50000 /tmp/stats.log | cut -f1 -d' ' | sort | uniq | fgrep . > counters_all.txt
$ for v in `cat counters_all.txt`; do echo $v; fgrep $v. counters_all.txt| wc -l; done | egrep -B1 '^[1-9][0-9]*$'
decoder.erspan
3
--
decoder.ethernet
1
--
decoder.gre
15
--
decoder.icmpv4
5
--
decoder.icmpv6
8
--
decoder.ipv4
16
--
decoder.ipv6
30
--
decoder.mpls
5
--
decoder.ppp
6
--
decoder.pppoe
3
--
decoder.sctp
1
--
decoder.sll
1
--
decoder.tcp
5
--
decoder.udp
3
--
decoder.vlan
3
Updated by Andreas Herz about 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien about 7 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
- Target version changed from TBD to 70
Probably the best is to avoid the name collisions by putting the events in as 'decoder.event.ipv4.trunc_pkt or similar.
Updated by Victor Julien almost 6 years ago
- Assignee changed from Jason Ish to Victor Julien
- Target version changed from 70 to 4.1.3
Updated by Victor Julien almost 6 years ago
- Status changed from Assigned to Closed
Updated by Victor Julien over 5 years ago
- Related to Task #3135: counters: new default for decoder events added