[Oisf-devel] 77b708=WIN?

Victor Julien victor at inliniac.net
Tue Sep 27 14:50:58 UTC 2011


On 09/27/2011 04:33 PM, Chris Wakelin wrote:
> I've just upgraded my campus network monitor to latest SVN
> (6bad2dbd7964a2e465ff4829022acf1e6c34062d) and PF_RING 5.1.0 (non-DNA).
> 
> I've applied two patches, my extended HTTP log one and Will's PF_RING
> "single" runmode (included in part of Bug 315) but with the same changes
> Anoop included in a844eecb0e115758eb87d515d37b9fcd877d2fec
> 
> I'm running with 6 threads and --runmode=single.

Maybe I just misunderstand you, but runmode single is using a single
packet processing pipeline. If you need more I suggest autofp.

> I'd not seen any more of the htp_tx_destroy crashes in the last week or
> so, but with this version I've had two new ones (running fine for hours
> in between):
> 
>> Core was generated by `/opt/RDGsuricata/bin/suricata --pfring-int eth1 -c /etc/suricata/suricata.yaml'.
<snip bt>
> The odd thing here is that src and dst aren't set; is that expected?

It's a known issue Anoop is currently fixing. What happens is that when
the flow manager (kind of a garbage collector for flows) times out a TCP
session that wasn't properly shut down (no RST or FIN) it injects a fake
packet into the engine to trigger final reassembly, inspection and
logging. For this currently a minimally initialized packet is used, but
due to some issues elsewhere we're doing a fully initialized packet soon.

There *may* be a relation to your segv as well. I'll let you know when I
checked this new code in.

Cheers,
Victor
-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list