I've been trying to enable drop-adapt, but I've run into a really odd issue
with dropped packets.
Things start out working fine, but then as soon as any packets are dropped it
goes all the way back up to Level 10 and stays there:
Nov 3 15:49:55 switched to LoadLevel9
Nov 3 15:52:25 switched to LoadLevel8
Nov 3 15:54:55 switched to LoadLevel7
Nov 3 15:57:25 switched to LoadLevel6
Nov 3 15:59:55 switched to LoadLevel5
Nov 3 16:01:55 switched to LoadLevel6
Nov 3 16:02:45 switched to LoadLevel7
Nov 3 16:03:35 switched to LoadLevel8
Nov 3 16:04:25 switched to LoadLevel9
Nov 3 16:05:15 switched to LoadLevel10
netstats will then show dropped increasing at about 80% the rate of recvd.
The odd part is if I run capstats with the -f option corresponding to the Level
10 filter and run netstats in 10 seconds intervals, the pkts= matches up almost
exactly.
So it seems that Bro isn't actually dropping any packets, but it thinks it is.
If I restart bro, it goes right back to 0 dropped packets.
I think I'm running into some sort of libpcap issue on Linux, but I'm not sure.
It seems everything goes wrong as soon as it starts changing the capture filter
once packets are dropped. Though it might just be that things go wrong once
packets are dropped in general, but I don't really know how to test that.
Should have read all you message. At some point libpcap was change to have the same semantics as libpcap on bsd, the error counter return the number of errors seen on the interfaces was opened instead of the old linux behavior of return the number of errors sense the previous status.
In PktSrc.cc change:
#ifdef HAVE_LINUX
// Linux clears its counters each time.
s->received = stats.received;
s->dropped = stats.dropped + pstat.ps_drop;
s->link = 0; // not available #else
// Default assumes FreeBSD's semantics.
s->received = stats.received;
s->dropped = pstat.ps_drop;
s->link = pstat.ps_recv; #endif
Ah, I think you nailed it. I took a look at some values of dropped, and not
only were they going up, they were going up by multiples of the same exact
value. This exaplains why I was seeing a huge number of dropped packets but no
cpu load.
With that fixed, I have found another bug, I notice when bro starts it prints to the load log:
"0.000000 switched to LoadLevel9"
(I set the default to 9, but it's the same with 10)
But it does not actually change the pcap filter.
I's only when the load level changes:
"1257290873.632846 switched to LoadLevel8"
does the packet filter change. I bet this is a race condition somewhere, the
fact that the time is 0 probably means something isn't fully setup yet.
The change to libpcap was made years ago. It won't break the really old system and would make it easier for bro install an new linux systems - you won't have to change the code by hand!