Project

General

Profile

Actions

Bug #2225

closed

when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can output

Added by zhancang xu over 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

the stat.log

Date: 10/10/2017 -- 15:57:58 (uptime: 0d, 00h 01m 04s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                     | Total                     | 6
decoder.pkts                               | Total                     | 8
decoder.bytes                              | Total                     | 1526
decoder.invalid                            | Total                     | 1
decoder.ipv4                               | Total                     | 8
decoder.ethernet                           | Total                     | 8
decoder.tcp                                | Total                     | 7
decoder.avg_pkt_size                       | Total                     | 190
decoder.max_pkt_size                       | Total                     | 577
flow.tcp                                   | Total                     | 1
decoder.ipv4.trunc_pkt                     | Total                     | 1
tcp.sessions                               | Total                     | 1
tcp.invalid_checksum                       | Total                     | 1
tcp.syn                                    | Total                     | 2
tcp.synack                                 | Total                     | 2
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074592

the redis stat log:

 "{\"timestamp\": \"2017-10-10T15:57:04.000180+0800\", \"event_type\": \"stats\", \"stats\": {\"uptime\": 10, \"capture\": {\"kernel_packets\": 1, \"kernel_drops\": 0}, \"decoder\": {\"pkts\": 0, \"bytes\": 0, \"invalid\": 0, \"ipv4\": 0, \"ipv6\": 0, \"ethernet\": 0, \"raw\": 0, \"null\": 0, \"sll\": 0, \"tcp\": 0, \"udp\": 0, \"sctp\": 0, \"icmpv4\": 0, \"icmpv6\": 0, \"ppp\": 0, \"pppoe\": 0, \"gre\": 0, \"vlan\": 0, \"vlan_qinq\": 0, \"teredo\": 0, \"ipv4_in_ipv6\": 0, \"ipv6_in_ipv6\": 0, \"mpls\": 0, \"avg_pkt_size\": 0, \"max_pkt_size\": 0, \"erspan\": 0, \"ipraw\": {\"invalid_ip_version\": 0}, \"ltnull\": {\"pkt_too_small\": 0, \"unsupported_type\": 0}, \"dce\": {\"pkt_too_small\": 0}}, \"flow\": {\"memcap\": 0, \"tcp\": 0, \"udp\": 0, \"icmpv4\": 0, \"icmpv6\": 0, \"spare\": 10000, \"emerg_mode_entered\": 0, \"emerg_mode_over\": 0, \"tcp_reuse\": 0, \"memuse\": 7074304}, \"defrag\": {\"ipv4\": {\"fragments\": 0, \"reassembled\": 0, \"timeouts\": 0}, \"ipv6\": {\"fragments\": 0, \"reassembled\": 0, \"timeouts\": 0}, \"max_frag_hits\": 0}, \"tcp\": {\"sessions\": 0, \"ssn_memcap_drop\": 0, \"pseudo\": 0, \"pseudo_failed\": 0, \"invalid_checksum\": 0, \"no_flow\": 0, \"syn\": 0, \"synack\": 0, \"rst\": 0, \"segment_memcap_drop\": 0, \"stream_depth_reached\": 0, \"reassembly_gap\": 0, \"overlap\": 0, \"overlap_diff_data\": 0, \"insert_data_normal_fail\": 0, \"insert_data_overlap_fail\": 0, \"insert_list_fail\": 0, \"memuse\": 573440, \"reassembly_memuse\": 81920}, \"detect\": {\"alert\": 0}, \"app_layer\": {\"flow\": {\"http\": 0, \"imap\": 0, \"msn\": 0, \"dns_tcp\": 0, \"enip\": 0, \"dnp3\": 0, \"failed_tcp\": 0, \"dns_udp\": 0, \"failed_udp\": 0}, \"tx\": {\"http\": 0, \"dns_tcp\": 0, \"dns_udp\": 0, \"enip\": 0}}, \"flow_mgr\": {\"closed_pruned\": 0, \"new_pruned\": 0, \"est_pruned\": 0, \"bypassed_pruned\": 0, \"flows_checked\": 0, \"flows_notimeout\": 0, \"flows_timeout\": 0, \"flows_timeout_inuse\": 0, \"flows_removed\": 0, \"rows_checked\": 65536, \"rows_skipped\": 65536, \"rows_empty\": 0, \"rows_busy\": 0, \"rows_maxlen\": 0}, \"file_store\": {\"open_files\": 0}, \"dns\": {\"memuse\": 0, \"memcap_state\": 0, \"memcap_global\": 0}, \"http\": {\"memuse\": 0, \"memcap\": 0}}, \"host\": \"LFG1000330219\"}" 


Related issues 1 (0 open1 closed)

Related to Suricata - Task #3135: counters: new default for decoder eventsClosedShivani BhardwajActions
Actions #1

Updated by Victor Julien over 6 years ago

  • Description updated (diff)
  • Priority changed from High to Normal
Actions #2

Updated by Sascha Steinbiss over 6 years ago

Looks like this is a result of having both decoder.ipv4 and decoder.ipv4.trunc_pkt. Since JSON object structure is determined from the dotted counter names (interpreting them as 'paths' into the structure to construct) this would be a situation where there would be a conflict between decoder.ipv4 being created as a literal number first but one would need to make a sub-object for decoder.ipv4.trunc_pkt.

So I guess one would either need to rename decoder.ipv4 to decoder.ipv4.count or decoder.ipv4.trunc_pkt to decoder.trunc_pkt.ipv4 (or something like that).

Actions #3

Updated by Sascha Steinbiss over 6 years ago

BTW, this could be a problem in various other places as well. Here's a list of counters where a literal value would be referred to by the same JSON key as a sub-object:

$ tail -n 50000 /tmp/stats.log | cut -f1 -d' ' | sort | uniq | fgrep . > counters_all.txt
$ for v in `cat counters_all.txt`; do echo $v; fgrep $v. counters_all.txt| wc -l; done | egrep -B1 '^[1-9][0-9]*$'
decoder.erspan
3
--
decoder.ethernet
1
--
decoder.gre
15
--
decoder.icmpv4
5
--
decoder.icmpv6
8
--
decoder.ipv4
16
--
decoder.ipv6
30
--
decoder.mpls
5
--
decoder.ppp
6
--
decoder.pppoe
3
--
decoder.sctp
1
--
decoder.sll
1
--
decoder.tcp
5
--
decoder.udp
3
--
decoder.vlan
3
Actions #4

Updated by Andreas Herz over 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #5

Updated by Victor Julien over 6 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish
  • Target version changed from TBD to 70

Probably the best is to avoid the name collisions by putting the events in as 'decoder.event.ipv4.trunc_pkt or similar.

Actions #6

Updated by Victor Julien about 5 years ago

  • Assignee changed from Jason Ish to Victor Julien
  • Target version changed from 70 to 4.1.3
Actions #7

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to Closed
Actions #8

Updated by Victor Julien over 4 years ago

  • Related to Task #3135: counters: new default for decoder events added
Actions

Also available in: Atom PDF