From 98e4a14f6d59fe8928fd6e2af3d9c3e8b42d00bf Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Wed, 18 Dec 2013 19:46:10 +0100 Subject: [PATCH] af-packet: update packet reading loop logic This patch updates the logic of the packet acquisition loop. When the reader loop function is called and when the data to read at offset is a without data (kernel) or still used by suricata. We try to iter for a loop on the ring to try to find kernel put by data. As we are entering the function because the poll said there was some data. This allow us to jump to the data added to the ring by the kernel. When using suricata in autofp mode, with multiple detect threads and packet acquisition threads attached to a dedicated CPU, the reader loop function was looping really fast because poll call was returning immediatly because we did read the data available. --- src/source-af-packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/source-af-packet.c b/src/source-af-packet.c index a0de99edc3..054866b70f 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -723,7 +723,7 @@ int AFPReadFromRing(AFPThreadVars *ptv) SCReturnInt(AFP_FAILURE); } - if (h.h2->tp_status == TP_STATUS_KERNEL) { + if (h.h2->tp_status & (TP_STATUS_KERNEL|TP_STATUS_USER_BUSY)) { if (read_pkts == 0) { if (loop_start == -1) { loop_start = ptv->frame_offset;