Project

General

Profile

Actions

Bug #2099

closed

af_packet: In IPS mode some some packets are not copied

Added by Igor Novgorodov over 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Kernel 4.9.24
Suricata 3.2.x or 4.0dev, does not matter.
1 test alert signature.

Testing with TCPReplay's sample PCAP: https://s3.amazonaws.com/tcpreplay-pcap-files/bigFlows.pcap
Sending 39580750 to eno50 interface (PCAP replayed 50 times), speed capped @ 1.15 Mpps

af-packet:
  - interface: eno49
    threads: 10
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: no
    use-mmap: yes
    mmap-locked: yes
    tpacket-v3: yes
    ring-size: 524288
    block-size: 524288
    checksum-checks: no
    copy-mode: ips
    copy-iface: eno50

  - interface: eno50
    threads: 10
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: no
    use-mmap: yes
    mmap-locked: yes
    tpacket-v3: yes
    ring-size: 524288
    block-size: 524288
    checksum-checks: no
    copy-mode: ips
    copy-iface: eno49

No drops on input in kernel or Suricata, but only 39 230 764 (349 986 packets gone) are sent to eno49 interface (checked by ethtool -S eno49 | grep tx_packets and sniffer connected to eno49).
This count is always the same for the same PCAP file.

Maybe Suricata drops some packets internally and does not copy them to output interface according to some internal logic?
Thanks in advance!

Resulting stats.log:

------------------------------------------------------------------------------------
Date: 4/23/2017 -- 12:11:42 (uptime: 0d, 00h 01m 39s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                     | Total                     | 39580750
decoder.pkts                               | Total                     | 39580750
decoder.bytes                              | Total                     | 17770889200
decoder.ipv4                               | Total                     | 39558950
decoder.ipv6                               | Total                     | 21950
decoder.ethernet                           | Total                     | 39580750
decoder.tcp                                | Total                     | 31694700
decoder.udp                                | Total                     | 7656750
decoder.icmpv4                             | Total                     | 213300
decoder.icmpv6                             | Total                     | 1700
decoder.teredo                             | Total                     | 150
decoder.avg_pkt_size                       | Total                     | 448
decoder.max_pkt_size                       | Total                     | 1514
tcp.sessions                               | Total                     | 19918
tcp.pseudo                                 | Total                     | 2190
tcp.syn                                    | Total                     | 1598753
tcp.synack                                 | Total                     | 300291
tcp.rst                                    | Total                     | 70750
tcp.stream_depth_reached                   | Total                     | 3
tcp.reassembly_gap                         | Total                     | 2
detect.alert                               | Total                     | 86
app_layer.flow.http                        | Total                     | 2879
app_layer.tx.http                          | Total                     | 6604
app_layer.flow.tls                         | Total                     | 1448
app_layer.flow.failed_tcp                  | Total                     | 102
app_layer.flow.failed_udp                  | Total                     | 5055
flow.spare                                 | Total                     | 524288
flow_mgr.flows_checked                     | Total                     | 779
flow_mgr.flows_notimeout                   | Total                     | 779
flow_mgr.rows_checked                      | Total                     | 1048576
flow_mgr.rows_skipped                      | Total                     | 1047814
flow_mgr.rows_maxlen                       | Total                     | 2
tcp.memuse                                 | Total                     | 800000000
tcp.reassembly_memuse                      | Total                     | 12332832
flow.memuse                                | Total                     | 221576184


Files

Actions

Also available in: Atom PDF