Actions
Bug #2099
closedaf_packet: In IPS mode some some packets are not copied
Affected Versions:
Effort:
Difficulty:
Label:
Description
Kernel 4.9.24
Suricata 3.2.x or 4.0dev, does not matter.
1 test alert signature.
Testing with TCPReplay's sample PCAP: https://s3.amazonaws.com/tcpreplay-pcap-files/bigFlows.pcap
Sending 39580750 to eno50 interface (PCAP replayed 50 times), speed capped @ 1.15 Mpps
af-packet:
- interface: eno49
threads: 10
cluster-id: 99
cluster-type: cluster_flow
defrag: no
use-mmap: yes
mmap-locked: yes
tpacket-v3: yes
ring-size: 524288
block-size: 524288
checksum-checks: no
copy-mode: ips
copy-iface: eno50
- interface: eno50
threads: 10
cluster-id: 98
cluster-type: cluster_flow
defrag: no
use-mmap: yes
mmap-locked: yes
tpacket-v3: yes
ring-size: 524288
block-size: 524288
checksum-checks: no
copy-mode: ips
copy-iface: eno49
No drops on input in kernel or Suricata, but only 39 230 764 (349 986 packets gone) are sent to eno49 interface (checked by ethtool -S eno49 | grep tx_packets and sniffer connected to eno49).
This count is always the same for the same PCAP file.
Maybe Suricata drops some packets internally and does not copy them to output interface according to some internal logic?
Thanks in advance!
Resulting stats.log:
------------------------------------------------------------------------------------
Date: 4/23/2017 -- 12:11:42 (uptime: 0d, 00h 01m 39s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 39580750
decoder.pkts | Total | 39580750
decoder.bytes | Total | 17770889200
decoder.ipv4 | Total | 39558950
decoder.ipv6 | Total | 21950
decoder.ethernet | Total | 39580750
decoder.tcp | Total | 31694700
decoder.udp | Total | 7656750
decoder.icmpv4 | Total | 213300
decoder.icmpv6 | Total | 1700
decoder.teredo | Total | 150
decoder.avg_pkt_size | Total | 448
decoder.max_pkt_size | Total | 1514
tcp.sessions | Total | 19918
tcp.pseudo | Total | 2190
tcp.syn | Total | 1598753
tcp.synack | Total | 300291
tcp.rst | Total | 70750
tcp.stream_depth_reached | Total | 3
tcp.reassembly_gap | Total | 2
detect.alert | Total | 86
app_layer.flow.http | Total | 2879
app_layer.tx.http | Total | 6604
app_layer.flow.tls | Total | 1448
app_layer.flow.failed_tcp | Total | 102
app_layer.flow.failed_udp | Total | 5055
flow.spare | Total | 524288
flow_mgr.flows_checked | Total | 779
flow_mgr.flows_notimeout | Total | 779
flow_mgr.rows_checked | Total | 1048576
flow_mgr.rows_skipped | Total | 1047814
flow_mgr.rows_maxlen | Total | 2
tcp.memuse | Total | 800000000
tcp.reassembly_memuse | Total | 12332832
flow.memuse | Total | 221576184
Files
Actions