Closed devfacet closed 4 years ago
@cmfatih For reference, what version of Packetbeat are you running? And I thought CentOS 6 used a 2.6 kernel?
I was able to reproduce the issue from master on Centos 7 (3.10.0-327.3.1.el7.x86_64). The problem does not occur if I use pcap
instead of af_packet
. The sniffer is getting new data when it calls ReadPacketData()
so I don't think this issue is being caused by the DNS plugin. I don't see any obvious mistakes when looking at the sniffer code. It would be good to get another set of eyes on that code.
@andrewkroh : I use 1.0.1
./packetbeat -version
packetbeat version 1.0.1 (amd64)
Do you have any numbers about performance of pcap
? I used af_packet
just because performance concerns. But I may use pcap
until the issue is solved IF it's not so slow.
UPDATE:
CentOS 6 with updated Kernel
uname -a
Linux ... 3.10.93-1.el6.elrepo.x86_64
@andrewkroh can you try 1.0.1 as well to check that we're talking about the same issue?
@tsg I tried the packetbeat-1.0.1 RPM on Centos 7 and I see the same issue. It looks like the same UDP packets are continuously being received from af_packet.
My kernel info for testing is 3.10.0-327.3.1.el7.x86_64
.
If I configure af_packet to use TPACKET_V2 instead of TPACKET_V3 by adding the configuration option afpacket.OptTPacketVersion(afpacket.TPacketVersion2)
here, then the data appears to be received correctly. But shutting down didn't work correctly after this change because it was stuck in the pollForFirstPacket
loop; it stopped after a packet was received to break the loop.
Looking more closely at the system calls I see that poll
is basically always returning with revents == 1
after the first packet is received. After changing to TPACKET_V2 I see revents == 0
unless a new packet is received and then it's 1
.
I just found this issue google/gopacket#80 (but we aren't doing any packet writing).
It looks like this problem was last seen in version 1, so I'm closing this. We can reopen it if there are more recent reports.
Hi All,
I have configuration like;
Once I ran
nslookup google.com
packetbeat
goes infinity loop;Seems like it doesn't cleanup error events...
I'm running it on CentOS 6 / Kernel 3.10