Re: BPF problems on FreeBSD 7.0
On Tue, Jul 15, 2008 at 14:25 -0700, you wrote: >> Thanks for the suggestion. Here's the netstat -B output at the time >> it has stalled (after about 6 hours of working normally): [...] > at your rate of receiving packets, it passed that value about > 2 minutes before this snapshot was taken.. Sorry, I wasn't precise: the process stalled after about 6 hours but the netstat output is actually from much later (the next day in fact, because it stalled latet a night) when it was still in that state. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * [EMAIL PROTECTED] ICSI/LBNL* Fax +1 (510) 666-2956 * www.icir.org ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BPF problems on FreeBSD 7.0
Robin Sommer wrote: On Mon, Jul 14, 2008 at 14:44 +0100, Bruce M. Simpson wrote: One place to start might be: netstat -B output in 7.x (I *think* this got MFCed), this will let us see what the drop count is for the Bro process, and what the flags are for the open BPF descriptors in the system. Thanks for the suggestion. Here's the netstat -B output at the time it has stalled (after about 6 hours of working normally): Pid Netif Flags Recv Drop Match Sblen Hblen Command 14557 nxge0 p--s--- 2162189525 32514465 42815457 4194248 4194258 br the Recv number is JUST past 2^31. at your rate of receiving packets, it passed that value about 2 minutes before this snapshot was taken.. Top shows: PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 14557 bro1 -580272M 267M5 25:53 0.00% bro A few minutes after starting the process, when Bro was still working fine, a netstat -B output was: # netstat -B Pid Netif Flags Recv Drop Match Sblen Hblen Command 14557 nxge0 p--s--- 4779235 0 94967 0 0 bro Thanks, Robin ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BPF problems on FreeBSD 7.0
On Mon, Jul 14, 2008 at 14:44 +0100, Bruce M. Simpson wrote: > One place to start might be: netstat -B output in 7.x (I *think* this got > MFCed), this will let us see what the drop count is for the Bro process, > and what the flags are for the open BPF descriptors in the system. Thanks for the suggestion. Here's the netstat -B output at the time it has stalled (after about 6 hours of working normally): Pid Netif Flags Recv Drop Match Sblen Hblen Command 14557 nxge0 p--s--- 2162189525 32514465 42815457 4194248 4194258 bro Top shows: PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 14557 bro1 -580272M 267M5 25:53 0.00% bro A few minutes after starting the process, when Bro was still working fine, a netstat -B output was: # netstat -B Pid Netif Flags Recv Drop Match Sblen Hblen Command 14557 nxge0 p--s--- 4779235 0 94967 0 0 bro Thanks, Robin -- Robin Sommer * Phone +1 (510) 666-2886 * [EMAIL PROTECTED] ICSI/LBNL* Fax +1 (510) 666-2956 * www.icir.org ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BPF problems on FreeBSD 7.0
Robin Sommer wrote: Hi all, we're seeing some strange effects with our libpcap-based application (the Bro network intrusion detection system) on a FreeBSD 7-RELEASE system. As the application has always been running fine on 6.x, we're wondering whether this might be triggered by any of the changes that went into 7. ... I'm wondering whether anybody here has seen something similar or might have an idea where to start looking for the cause. Any ideas? One place to start might be: netstat -B output in 7.x (I *think* this got MFCed), this will let us see what the drop count is for the Bro process, and what the flags are for the open BPF descriptors in the system. I'm not hot on current BPF internals, but I hazard a guess this is related to BPF descriptor buffering -- an area where there have been changes, some of which I've eyeballed. cheers BMS ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
BPF problems on FreeBSD 7.0
Hi all, we're seeing some strange effects with our libpcap-based application (the Bro network intrusion detection system) on a FreeBSD 7-RELEASE system. As the application has always been running fine on 6.x, we're wondering whether this might be triggered by any of the changes that went into 7. The problem is that the Bro process, after running fine for a few hours or so, regularly stalls completely; the process seems to enter some odd state, using 0% CPU and with top showing only an empty field in the STATE column. We saw this effect with a Neterion network card and first thought it might be a driver problem. After switching to an Intel card, we see something slightly different: now the process doesn't stall completely anymore but it still gets to some point at which it stops receiving packets from libpcap. We haven't yet seen these problems with any other libpcap application. The only difference between Bro and most other libpcap applications that I can think of right now, is that Bro is using select() on the file descriptor. However, with a small test applicaton which mimics Bro's way of using libpcap, we couldn't reproduce the problem so far either. With the Neterion card, we have also tried disabling LRO and MSI explicitly but to no avail. Again, this is all with a Bro installation that works fine when running FreeBSD 6.x (we haven't run 6.x on the same boxes but we see the problems on two separate machines running FreeBSD 7). I'm wondering whether anybody here has seen something similar or might have an idea where to start looking for the cause. Any ideas? Thanks, Robin -- Robin Sommer * Phone +1 (510) 666-2886 * [EMAIL PROTECTED] ICSI/LBNL* Fax +1 (510) 666-2956 * www.icir.org ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"