Bug #954
Updated by Victor Julien over 10 years ago
############################## # VLAN decoder stats with AF Packet get written to the first thread only - stats.log ## Running afpacket and pfring on the same machine,same traffic, the same suricata.yaml. There seems to be interesting case in the statistics log (could possibly suggest some other issue) with afpacket where decoder vlan stats are written(or decoded?) only by the first thread. Detailed info below. bellow. AFPacket: <pre> grep vlan /var/data/log/suricata/StatsByDate/stats-2013-09-11.log |tail -16 decoder.vlan | AFPacketeth31 | 808 decoder.vlan | AFPacketeth32 | 0 decoder.vlan | AFPacketeth33 | 0 decoder.vlan | AFPacketeth34 | 0 decoder.vlan | AFPacketeth35 | 0 decoder.vlan | AFPacketeth36 | 0 decoder.vlan | AFPacketeth37 | 0 decoder.vlan | AFPacketeth38 | 0 decoder.vlan | AFPacketeth39 | 0 decoder.vlan | AFPacketeth310 | 0 decoder.vlan | AFPacketeth311 | 0 decoder.vlan | AFPacketeth312 | 0 decoder.vlan | AFPacketeth313 | 0 decoder.vlan | AFPacketeth314 | 0 decoder.vlan | AFPacketeth315 | 0 decoder.vlan | AFPacketeth316 | 0 </pre> PFring: <pre> grep vlan /var/data/log/suricata/StatsByDate/stats-2013-09-12.log |tail -16 decoder.vlan | RxPFReth31 | 2 decoder.vlan | RxPFReth32 | 6 decoder.vlan | RxPFReth33 | 8 decoder.vlan | RxPFReth34 | 13 decoder.vlan | RxPFReth35 | 8 decoder.vlan | RxPFReth36 | 10 decoder.vlan | RxPFReth37 | 0 decoder.vlan | RxPFReth38 | 4 decoder.vlan | RxPFReth39 | 10 decoder.vlan | RxPFReth310 | 912 decoder.vlan | RxPFReth311 | 13 decoder.vlan | RxPFReth312 | 19 decoder.vlan | RxPFReth313 | 26 decoder.vlan | RxPFReth314 | 8 decoder.vlan | RxPFReth315 | 6 decoder.vlan | RxPFReth316 | 8 </pre> <pre> suricata --build-info This is Suricata version 2.0dev (rev 5614313) Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LUAJIT HAVE_LIBJANSSON PROFILING 64-bits, Little-endian architecture GCC version 4.6.3, C version 199901 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8 __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 compiled with -fstack-protector compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 compiled with LibHTP v0.5.6, linked against LibHTP v0.5.6 Suricata Configuration: AF_PACKET support: yes PF_RING support: yes NFQueue support: no IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes libnss support: yes libnspr support: yes libjansson support: yes Prelude support: no PCRE jit: no libluajit: yes libgeoip: yes Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: yes Profiling locks enabled: no Generic build parameters: Installation prefix (--prefix): /usr/local Configuration directory (--sysconfdir): /usr/local/etc/suricata/ Log directory (--localstatedir) : /usr/local/var/log/suricata/ Host: x86_64-unknown-linux-gnu GCC binary: gcc GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no </pre> Much more info can be privately shared if needed. Thanks