From owner-freebsd-net@FreeBSD.ORG Mon Jul 14 13:44:35 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FA7C1065670 for ; Mon, 14 Jul 2008 13:44:35 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by mx1.freebsd.org (Postfix) with ESMTP id 22CE68FC08 for ; Mon, 14 Jul 2008 13:44:34 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 6401013A523; Mon, 14 Jul 2008 09:44:34 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Mon, 14 Jul 2008 09:44:34 -0400 X-Sasl-enc: 8Pld3l5O9agACN/ZEY04cd/6daRtQKHsvFXeSjB/9kcH 1216043074 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id D6B822CA19; Mon, 14 Jul 2008 09:44:33 -0400 (EDT) Message-ID: <487B5840.3000401@FreeBSD.org> Date: Mon, 14 Jul 2008 14:44:32 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.14 (X11/20080514) MIME-Version: 1.0 To: Robin Sommer References: <20080711202737.GB27418@icir.org> In-Reply-To: <20080711202737.GB27418@icir.org> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: BPF problems on FreeBSD 7.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2008 13:44:35 -0000 Robin Sommer wrote: > Hi all, > > we're seeing some strange effects with our libpcap-based application > (the Bro network intrusion detection system) on a FreeBSD 7-RELEASE > system. As the application has always been running fine on 6.x, > we're wondering whether this might be triggered by any of the > changes that went into 7. > ... > I'm wondering whether anybody here has seen something similar or > might have an idea where to start looking for the cause. Any ideas? > One place to start might be: netstat -B output in 7.x (I *think* this got MFCed), this will let us see what the drop count is for the Bro process, and what the flags are for the open BPF descriptors in the system. I'm not hot on current BPF internals, but I hazard a guess this is related to BPF descriptor buffering -- an area where there have been changes, some of which I've eyeballed. cheers BMS