strange dropped packets issue

I've been trying to enable drop-adapt, but I've run into a really odd issue
with dropped packets.

Things start out working fine, but then as soon as any packets are dropped it
goes all the way back up to Level 10 and stays there:

Nov 3 15:49:55 switched to LoadLevel9
Nov 3 15:52:25 switched to LoadLevel8
Nov 3 15:54:55 switched to LoadLevel7
Nov 3 15:57:25 switched to LoadLevel6
Nov 3 15:59:55 switched to LoadLevel5
Nov 3 16:01:55 switched to LoadLevel6
Nov 3 16:02:45 switched to LoadLevel7
Nov 3 16:03:35 switched to LoadLevel8
Nov 3 16:04:25 switched to LoadLevel9
Nov 3 16:05:15 switched to LoadLevel10

netstats will then show dropped increasing at about 80% the rate of recvd.

The odd part is if I run capstats with the -f option corresponding to the Level
10 filter and run netstats in 10 seconds intervals, the pkts= matches up almost
exactly.

So it seems that Bro isn't actually dropping any packets, but it thinks it is.
If I restart bro, it goes right back to 0 dropped packets.

I think I'm running into some sort of libpcap issue on Linux, but I'm not sure.
It seems everything goes wrong as soon as it starts changing the capture filter
once packets are dropped. Though it might just be that things go wrong once
packets are dropped in general, but I don't really know how to test that.

Is your bro running on a linux platform?

Bill Jones

Should have read all you message. At some point libpcap was change to have the same semantics as libpcap on bsd, the error counter return the number of errors seen on the interfaces was opened instead of the old linux behavior of return the number of errors sense the previous status.

In PktSrc.cc change:

#ifdef HAVE_LINUX
        // Linux clears its counters each time.
        s->received = stats.received;
        s->dropped = stats.dropped + pstat.ps_drop;
        s->link = 0; // not available
#else
        // Default assumes FreeBSD's semantics.
        s->received = stats.received;
        s->dropped = pstat.ps_drop;
        s->link = pstat.ps_recv;
#endif

To

        // Default assumes FreeBSD's semantics.
        s->received = stats.received;
        s->dropped = pstat.ps_drop;
        s->link = pstat.ps_recv;

Bill Jones

Ah, I think you nailed it. I took a look at some values of dropped, and not
only were they going up, they were going up by multiples of the same exact
value. This exaplains why I was seeing a huge number of dropped packets but no
cpu load.

With that fixed, I have found another bug, I notice when bro starts it prints to the load log:

"0.000000 switched to LoadLevel9"

(I set the default to 9, but it's the same with 10)

But it does not actually change the pcap filter.

I's only when the load level changes:
"1257290873.632846 switched to LoadLevel8"

does the packet filter change. I bet this is a race condition somewhere, the
fact that the time is 0 probably means something isn't fully setup yet.

Any chance it's this?

    http://tracker.icir.org/bro/ticket/18

Robin

Would it make sense to just remove the linux specific code? Is anyone running older Linux distros for their analyzers?

Based on one of the links in the ticket, it looks like Debian updated their libpcap and got rid of this issue in 2005.

   .Seth

I would remove the code.

The change to libpcap was made years ago. It won't break the really old system and would make it easier for bro install an new linux systems - you won't have to change the code by hand!