BPF problems on FreeBSD 7.0
robin at icir.org
Fri Jul 11 20:52:08 UTC 2008
we're seeing some strange effects with our libpcap-based application
(the Bro network intrusion detection system) on a FreeBSD 7-RELEASE
system. As the application has always been running fine on 6.x,
we're wondering whether this might be triggered by any of the
changes that went into 7.
The problem is that the Bro process, after running fine for a few
hours or so, regularly stalls completely; the process seems to enter
some odd state, using 0% CPU and with top showing only an empty
field in the STATE column.
We saw this effect with a Neterion network card and first thought it
might be a driver problem. After switching to an Intel card, we see
something slightly different: now the process doesn't stall
completely anymore but it still gets to some point at which it stops
receiving packets from libpcap.
We haven't yet seen these problems with any other libpcap
application. The only difference between Bro and most other libpcap
applications that I can think of right now, is that Bro is using
select() on the file descriptor. However, with a small test
applicaton which mimics Bro's way of using libpcap, we couldn't
reproduce the problem so far either.
With the Neterion card, we have also tried disabling LRO and MSI
explicitly but to no avail.
Again, this is all with a Bro installation that works fine when
running FreeBSD 6.x (we haven't run 6.x on the same boxes but we see
the problems on two separate machines running FreeBSD 7).
I'm wondering whether anybody here has seen something similar or
might have an idea where to start looking for the cause. Any ideas?
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the freebsd-net