Bug #954: VLAN decoder stats with AF Packet get written to the first thread only - stats.log - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #954

closed

VLAN decoder stats with AF Packet get written to the first thread only - stats.log

Added by Peter Manev over 10 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Running afpacket and pfring on the same machine,same traffic, the same suricata.yaml.

There seems to be interesting case in the statistics log (could possibly suggest some other issue) with afpacket where decoder vlan stats are written(or decoded?) only by the first thread.

Detailed info below.

AFPacket:

grep vlan /var/data/log/suricata/StatsByDate/stats-2013-09-11.log |tail -16
decoder.vlan              | AFPacketeth31             | 808
decoder.vlan              | AFPacketeth32             | 0
decoder.vlan              | AFPacketeth33             | 0
decoder.vlan              | AFPacketeth34             | 0
decoder.vlan              | AFPacketeth35             | 0
decoder.vlan              | AFPacketeth36             | 0
decoder.vlan              | AFPacketeth37             | 0
decoder.vlan              | AFPacketeth38             | 0
decoder.vlan              | AFPacketeth39             | 0
decoder.vlan              | AFPacketeth310            | 0
decoder.vlan              | AFPacketeth311            | 0
decoder.vlan              | AFPacketeth312            | 0
decoder.vlan              | AFPacketeth313            | 0
decoder.vlan              | AFPacketeth314            | 0
decoder.vlan              | AFPacketeth315            | 0
decoder.vlan              | AFPacketeth316            | 0

PFring:

grep vlan /var/data/log/suricata/StatsByDate/stats-2013-09-12.log |tail -16
decoder.vlan              | RxPFReth31                | 2
decoder.vlan              | RxPFReth32                | 6
decoder.vlan              | RxPFReth33                | 8
decoder.vlan              | RxPFReth34                | 13
decoder.vlan              | RxPFReth35                | 8
decoder.vlan              | RxPFReth36                | 10
decoder.vlan              | RxPFReth37                | 0
decoder.vlan              | RxPFReth38                | 4
decoder.vlan              | RxPFReth39                | 10
decoder.vlan              | RxPFReth310               | 912
decoder.vlan              | RxPFReth311               | 13
decoder.vlan              | RxPFReth312               | 19
decoder.vlan              | RxPFReth313               | 26
decoder.vlan              | RxPFReth314               | 8
decoder.vlan              | RxPFReth315               | 6
decoder.vlan              | RxPFReth316               | 8

suricata --build-info
This is Suricata version 2.0dev (rev 5614313)
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LUAJIT HAVE_LIBJANSSON PROFILING
64-bits, Little-endian architecture
GCC version 4.6.3, C version 199901
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.6, linked against LibHTP v0.5.6
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         yes
  NFQueue support:                         no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                no
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       yes
  Profiling locks enabled:                 no

Generic build parameters:
  Installation prefix (--prefix):          /usr/local
  Configuration directory (--sysconfdir):  /usr/local/etc/suricata/
  Log directory (--localstatedir) :        /usr/local/var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no

Much more info can be privately shared if needed.

Actions

Copy link

Updated by Victor Julien over 10 years ago

Description updated (diff)

Cleaned up description.

Actions

Copy link

Updated by Victor Julien over 10 years ago

I suspect this is caused by afpacket itself. Just like it has to deal in a special way with fragments, vlan tagged packets may all come in on one of the cluster id's.

Actions

Copy link

Updated by Victor Julien over 10 years ago

Target version set to TBD

Actions

Copy link

Updated by Eric Leblond about 10 years ago

Status changed from New to Closed
Target version changed from TBD to 2.0rc1

The statistics displayed here are a consequence of the problem fixed in #1082. The kernel is sending packets with vlan header stripped to the userspace. So in reality we have no vlan.

But in some cases, we've got some garbage data that are seen as vlan. This explains why there is so few packets in the stats. In fact, the real result on the test box are millions of tagged packets in a few seconds.

Actions

Copy link

Updated by Peter Manev about 9 years ago

Status changed from Closed to New
Target version changed from 2.0rc1 to 2.1beta4

re-opening.

It seems the original problem (when the ticket was opened) is back with (2.1dev rev 7426a9c)

af-packet:

root@snif01:/var/log/suricata# grep vlan stats.log | tail -8
decoder.vlan              | AFPacketeth21             | 171138
decoder.vlan_qinq         | AFPacketeth21             | 0
decoder.vlan              | AFPacketeth22             | 0
decoder.vlan_qinq         | AFPacketeth22             | 0
decoder.vlan              | AFPacketeth23             | 0
decoder.vlan_qinq         | AFPacketeth23             | 0
decoder.vlan              | AFPacketeth24             | 0
decoder.vlan_qinq         | AFPacketeth24             | 0

pf-ring

root@snif01:/var/log/suricata# grep vlan stats.log | tail -8
decoder.vlan              | RxPFReth21                | 816449
decoder.vlan_qinq         | RxPFReth21                | 816449
decoder.vlan              | RxPFReth22                | 962026
decoder.vlan_qinq         | RxPFReth22                | 962026
decoder.vlan              | RxPFReth23                | 869539
decoder.vlan_qinq         | RxPFReth23                | 869539
decoder.vlan              | RxPFReth24                | 914176
decoder.vlan_qinq         | RxPFReth24                | 914176
root@snif01:/var/log/suricata#

Suricata info:


root@snif01:/var/log/suricata# suricata --build-info
This is Suricata version 2.1dev (rev 7426a9c)
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LIBJANSSON TLS 
SIMD support: SSE_4_1 SSE_3 
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.6.3, C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.16, linked against LibHTP v0.5.16

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         yes
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                no
  LUA support:                             no
  libluajit:                               no
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix (--prefix):          /usr/local
  Configuration directory (--sysconfdir):  /usr/local/etc/suricata/
  Log directory (--localstatedir) :        /usr/local/var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
root@snif01:/var/log/suricata#

Actions

Copy link