ENV:
CPU: E5-2630
Network pci: 82599ES 10-Gigabit
Memory: 128g
Suricata: pf_ring(or af-xdp) + 32 workers + log to kafka + listen to interface 1 ,another machine replays pcap to interface 1(Connect using an Ethernet cable)
version: 7.0.0.rc2 or 6.0.11
Problem:
There’s a strange bug : once i replay some http pcap using tcpdump, suricata would parse and generate some /libhtp::request_uri_not_seen log random. I patched some log and found that response is coming earlier than request.
Then i tried single worker mode and enable stream inline, doesn’t help at all. And i print something result that many request data are empty or garbled code,suricata failed to do TCPProtoDetect(), but response works fine.
It occur randomly and stats shows that there is no packet lose.
Reproduce:
1.compile args:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-lua --enable-pfring --enable-old-barnyard2 --enable-unix-socket --enable-geoip --enable-http2decompression --build=x86_64-linux-gnu CFLAGS=“-D_GUN_SOURCE”
2.suricata args:
–pfring-cluster-id=99 --pfring-cluster-type=cluster_flow --pfring-int=xxx -c
/etc/suricata/suricata.yaml
im not sure if suricata.yaml is necessary.
3.replay any http pcap, or a dir contains serval http pcaps by tcpreplay:
tcpreplay -K -i xxx -M 10000 -l 100 --stats=2 /pcapdir
addition:
I also dump all packets by tcpdump while suricata is running. The wrong traffic(url_not_seen or request info lose) in suricata is OK in pcap that dumped by tcpdump.
Here is a example:
URL_NOT_SEEN and no http request data:
Pcap captured by tcpdump shows that request exists:
