<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=gb2312"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"批注框文本 Char";
margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:9.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
text-indent:21.0pt;
font-size:10.5pt;
font-family:"Calibri","sans-serif";}
span.Char
{mso-style-name:"批注框文本 Char";
mso-style-priority:99;
mso-style-link:批注框文本;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:198586460;
mso-list-type:hybrid;
mso-list-template-ids:212863920 -1564075712 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:18.0pt;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-text:"%2\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:42.0pt;
text-indent:-21.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:63.0pt;
text-indent:-21.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:84.0pt;
text-indent:-21.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-text:"%5\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:105.0pt;
text-indent:-21.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0pt;
text-indent:-21.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:147.0pt;
text-indent:-21.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-text:"%8\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:168.0pt;
text-indent:-21.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:189.0pt;
text-indent:-21.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-CN link=blue vlink=purple style='text-justify-trim:punctuation'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>When I review the code of suricata-2.0.1, I found there is a thread-sync issue for streamTcp module. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>The config of streamTcp parsed at function StreamTcpInitConfig in </span><span lang=EN-US style='color:red'>Suricata-Main</span><span lang=EN-US style='color:#1F497D'>.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Bug streamTcp tread init at function StreamTcpThreadInit in </span><span lang=EN-US style='color:red'>capture-Thread</span><span lang=EN-US style='color:#1F497D'>, such as AFPacketeth21.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>If capture-thread run first after spawning, It will lead to streamTcp don’t prealloc any sessions. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>This issue don’t affect the function, but I think it will reduce performance when process tcp flow.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Here is the details:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><b><span lang=EN-US style='color:#1F497D'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span></b><![endif]><b><span lang=EN-US style='color:#1F497D'>my configuration: <o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>My config in suricata.yaml is running with workers mode and use af-packet to capture packets. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><b><span lang=EN-US style='color:#1F497D'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span></b><![endif]><b><span lang=EN-US style='color:#1F497D'>StreamTcpThreadInit is called after thread spawn, it will prealloc tcpsessions through PoolInit, here is the gdb stack trace:<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>#0 <a name="OLE_LINK28"></a><a name="OLE_LINK29"><b>PoolInit</b> </a>(size=0, <b><span style='color:red'>prealloc_size=0, elt_size=192</span></b><span style='color:red'>,</span> Alloc=0x50ea30 <StreamTcpSessionPoolAlloc>, Init=0x50e680 <StreamTcpSessionPoolInit>, InitData=0x0, <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Cleanup=0x50e730 <StreamTcpSessionPoolCleanup>, Free=0) at util-pool.c:85<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#1 0x0000000000568b7c in <b>PoolThreadGrow</b> (pt=<optimized out>, size=0, prealloc_size=0, elt_size=192, Alloc=0x50ea30 <StreamTcpSessionPoolAlloc>, <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Init=0x50e680 <StreamTcpSessionPoolInit>, InitData=0x0, Cleanup=0x50e730 <StreamTcpSessionPoolCleanup>, Free=0) at util-pool-thread.c:116<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#2 0x000000000050e13c in <a name="OLE_LINK26"></a><a name="OLE_LINK27"><b>StreamTcpThreadInit</b> </a>(tv=0x266655e0, initdata=<optimized out>, data=<optimized out>) at stream-tcp.c:4600<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#3 0x0000000000525480 in TmThreadsSlotPktAcqLoop (td=0x266655e0) at tm-threads.c:669<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#4 0x00007ffff6f2ae9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#5 0x00007ffff67f93fd in clone () from /lib/x86_64-linux-gnu/libc.so.6<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#6 0x0000000000000000 in ?? ()<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>You will sess the prealloc_size is 0 even in my suricata.yaml it set to 50000.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#0070C0'>stream:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#0070C0'> memcap: 1gb<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#0070C0'> checksum-validation: yes # reject wrong csums<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#0070C0'> midstream: false<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#0070C0'> <b> prealloc-sessions: 50000<o:p></o:p></b></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><b><span lang=EN-US style='color:#1F497D'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span></b><![endif]><b><span lang=EN-US>StreamTcpInitConfig is called in main thread after spawn the capture thread: </span></b><b><span lang=EN-US style='color:#1F497D'><o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-US>Breakpoint 2, <a name="OLE_LINK32"></a><a name="OLE_LINK33">StreamTcpInitConfig </a>(quiet=0 '\000') at stream-tcp.c:341<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>341 {<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(gdb) bt<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#0 StreamTcpInitConfig (quiet=0 '\000') at stream-tcp.c:341<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#1 0x0000000000410d70 in main (argc=<optimized out>, argv=<optimized out>) at suricata.c:2249<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p></div></body></html>