[Oisf-users] Packets stucked in Nfqueue when running inline
Victor Julien
victor at inliniac.net
Tue Jun 21 08:35:10 UTC 2011
On 06/21/2011 02:36 AM, Fernando Ortiz wrote:
> Thank you so much for your suggestion.
>
> I compiled the last revision from git. The same problem. I followed your
> steps:
>
>>> * Flush iptables rules (to block the packet counter in /proc)
>>> * Wait a few seconds for delivery of all packets
>
> ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue
> 1 640 8 2 65535 0 0 166919 1
> 2 -4290 9 2 65535 0 0 166920 1
>
>>> * Get the number of packets queued from /proc (equal to last
> number before 1 in the proc file)
>
> (RecvNFQ-Q1) Pkts 166919, Bytes 107024647, Errors 0
> (RecvNFQ-Q2) Pkts 166920, Bytes 106693226, Errors 0
>
>>> * Stop suricata
>>> * Retrieve NFQ packets statistics in the log output (Pkts accepted
>>> %"PRIu32", dropped %"PRIu32", replaced %"PRIu32)
>
> Q1-> Pkts accepted 166705, dropped 206, replaced 0
> Q2-> Pkts accepted 166692, dropped 219, replaced 0
>
> So, in Q1 166705 + 206 = 166911 = 166919 - 8
> Same in Q2 166692 + 219 = 266911 = 166920 - 9
>
> You are right, these 17 packets are not seen by suricata, therefore, no one
> make a verdict and they are stucked in the queues waiting for one.
It might still be a Suricata issue though. If Suricata reads a packet
but somehow messes up before it counts a new packet you might get the
above numbers. Both NFQCallBack and NFQSetupPkt should be reviewed
carefully for it's error-behavior I think.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list