Beats: [Packetbeat] pcap sniffer hangs on exit
Packetbeat is not exiting cleanly on Linux with the pcap sniffer. There is no timeout signal for the pcap reader so if no packets are received to unblock the read loop it will hang forever.
Perhaps we need to update gopacket (like for https://github.com/google/gopacket/pull/256).
This was detected by beats-tester when we noticed that the logs from Packetbeat were incomplete (missing "packetbeat stopped.").
For confirmed bugs, please report:
- Version: 6.2.2
- Operating System: Linux (observed on ubuntu1604, awslinux, opensuse)
- Steps to Reproduce:
- Configure Packetbeat with the pcap sniffer on Linux.
- Use a config where no Packets are being received.
- Send Ctrl+C
packetbeat.interfaces.device: any
packetbeat.protocols:
- type: http
ports: [11180] # Some port where there's no traffic.
output.file:
path: '${path.logs}'
filename: output.json
logging:
level: info
json: true
files:
name: packetbeat.json
andrewkroh
All 3 comments
I'm also seeing the same behavior with af_packet.
andrewkroh
on 12 Mar 2018
This is currently causing beats-tester to fail because it verifies that the beat shuts down properly by checking the log file.
andrewkroh
on 13 Mar 2018
I've found out those to be two separate issues.
For af_packet, timeout wasn't being handled correctly at all.
For pcap, it is a well-known problem with libpcap 1.8.0+ which supports TPACKET_V3 to capture packets.
adriansr
on 15 Mar 2018
Related issues
adriansr
路
3Comments
marian-craciunescu
路
3Comments
jsoriano
路
3Comments
gmoskovicz
路
4Comments
exekias
路
3Comments
Most helpful comment
I've found out those to be two separate issues.
For af_packet, timeout wasn't being handled correctly at all.
For pcap, it is a well-known problem with libpcap 1.8.0+ which supports TPACKET_V3 to capture packets.