Bug #954
closedVLAN decoder stats with AF Packet get written to the first thread only - stats.log
Description
Running afpacket and pfring on the same machine,same traffic, the same suricata.yaml.
There seems to be interesting case in the statistics log (could possibly suggest some other issue) with afpacket where decoder vlan stats are written(or decoded?) only by the first thread.
Detailed info below.
AFPacket:
grep vlan /var/data/log/suricata/StatsByDate/stats-2013-09-11.log |tail -16 decoder.vlan | AFPacketeth31 | 808 decoder.vlan | AFPacketeth32 | 0 decoder.vlan | AFPacketeth33 | 0 decoder.vlan | AFPacketeth34 | 0 decoder.vlan | AFPacketeth35 | 0 decoder.vlan | AFPacketeth36 | 0 decoder.vlan | AFPacketeth37 | 0 decoder.vlan | AFPacketeth38 | 0 decoder.vlan | AFPacketeth39 | 0 decoder.vlan | AFPacketeth310 | 0 decoder.vlan | AFPacketeth311 | 0 decoder.vlan | AFPacketeth312 | 0 decoder.vlan | AFPacketeth313 | 0 decoder.vlan | AFPacketeth314 | 0 decoder.vlan | AFPacketeth315 | 0 decoder.vlan | AFPacketeth316 | 0
PFring:
grep vlan /var/data/log/suricata/StatsByDate/stats-2013-09-12.log |tail -16 decoder.vlan | RxPFReth31 | 2 decoder.vlan | RxPFReth32 | 6 decoder.vlan | RxPFReth33 | 8 decoder.vlan | RxPFReth34 | 13 decoder.vlan | RxPFReth35 | 8 decoder.vlan | RxPFReth36 | 10 decoder.vlan | RxPFReth37 | 0 decoder.vlan | RxPFReth38 | 4 decoder.vlan | RxPFReth39 | 10 decoder.vlan | RxPFReth310 | 912 decoder.vlan | RxPFReth311 | 13 decoder.vlan | RxPFReth312 | 19 decoder.vlan | RxPFReth313 | 26 decoder.vlan | RxPFReth314 | 8 decoder.vlan | RxPFReth315 | 6 decoder.vlan | RxPFReth316 | 8
suricata --build-info This is Suricata version 2.0dev (rev 5614313) Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LUAJIT HAVE_LIBJANSSON PROFILING 64-bits, Little-endian architecture GCC version 4.6.3, C version 199901 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 compiled with -fstack-protector compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 compiled with LibHTP v0.5.6, linked against LibHTP v0.5.6 Suricata Configuration: AF_PACKET support: yes PF_RING support: yes NFQueue support: no IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes libnss support: yes libnspr support: yes libjansson support: yes Prelude support: no PCRE jit: no libluajit: yes libgeoip: yes Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: yes Profiling locks enabled: no Generic build parameters: Installation prefix (--prefix): /usr/local Configuration directory (--sysconfdir): /usr/local/etc/suricata/ Log directory (--localstatedir) : /usr/local/var/log/suricata/ Host: x86_64-unknown-linux-gnu GCC binary: gcc GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no
Much more info can be privately shared if needed.
Updated by Victor Julien over 10 years ago
I suspect this is caused by afpacket itself. Just like it has to deal in a special way with fragments, vlan tagged packets may all come in on one of the cluster id's.
Updated by Eric Leblond about 10 years ago
- Status changed from New to Closed
- Target version changed from TBD to 2.0rc1
The statistics displayed here are a consequence of the problem fixed in #1082. The kernel is sending packets with vlan header stripped to the userspace. So in reality we have no vlan.
But in some cases, we've got some garbage data that are seen as vlan. This explains why there is so few packets in the stats. In fact, the real result on the test box are millions of tagged packets in a few seconds.
Updated by Peter Manev about 9 years ago
- Status changed from Closed to New
- Target version changed from 2.0rc1 to 2.1beta4
re-opening.
It seems the original problem (when the ticket was opened) is back with (2.1dev rev 7426a9c)
af-packet:
root@snif01:/var/log/suricata# grep vlan stats.log | tail -8 decoder.vlan | AFPacketeth21 | 171138 decoder.vlan_qinq | AFPacketeth21 | 0 decoder.vlan | AFPacketeth22 | 0 decoder.vlan_qinq | AFPacketeth22 | 0 decoder.vlan | AFPacketeth23 | 0 decoder.vlan_qinq | AFPacketeth23 | 0 decoder.vlan | AFPacketeth24 | 0 decoder.vlan_qinq | AFPacketeth24 | 0
pf-ring
root@snif01:/var/log/suricata# grep vlan stats.log | tail -8 decoder.vlan | RxPFReth21 | 816449 decoder.vlan_qinq | RxPFReth21 | 816449 decoder.vlan | RxPFReth22 | 962026 decoder.vlan_qinq | RxPFReth22 | 962026 decoder.vlan | RxPFReth23 | 869539 decoder.vlan_qinq | RxPFReth23 | 869539 decoder.vlan | RxPFReth24 | 914176 decoder.vlan_qinq | RxPFReth24 | 914176 root@snif01:/var/log/suricata#
Suricata info:
root@snif01:/var/log/suricata# suricata --build-info This is Suricata version 2.1dev (rev 7426a9c) Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LIBJANSSON TLS SIMD support: SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.6.3, C version 199901 compiled with -fstack-protector compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.16, linked against LibHTP v0.5.16 Suricata Configuration: AF_PACKET support: yes PF_RING support: yes NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes Prelude support: no PCRE jit: no LUA support: no libluajit: no libgeoip: yes Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: no Profiling locks enabled: no Coccinelle / spatch: no Generic build parameters: Installation prefix (--prefix): /usr/local Configuration directory (--sysconfdir): /usr/local/etc/suricata/ Log directory (--localstatedir) : /usr/local/var/log/suricata/ Host: x86_64-unknown-linux-gnu GCC binary: gcc GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no root@snif01:/var/log/suricata#
Updated by Victor Julien almost 9 years ago
- Target version changed from 2.1beta4 to 3.0RC1
Updated by Peter Manev over 8 years ago
- Status changed from New to Closed
Fixed in latest git master.