Thanks Victor.<br><br>I was going to mention that the mentioned proc folders didn't exist on my system.<br><br>I have changed it to 100 max-pending-packets and that has doubled the queue size.<br><br>Thank you<br><br><br>
<br><br><div class="gmail_quote">On 27 August 2010 07:55, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">Pablo wrote:<br>
> I'm not sure, but maybe it's related to the value at "<br>
> /proc/sys/net/nf_conntrack_max " or " /proc/sys/net/netfilter/nf_<br>
> conntrack_buckets "<br>
> You can increase this values with for example<br>
> echo "123456" > /proc/sys/net/nf_conntrack_max<br>
> If not, maybe you can try to search that limit value of 200 with..<br>
> find /proc/sys/net/ -name "*conntrack*" -exec echo {} \; -exec grep 200<br>
> {} \;<br>
> Anyway, 200 entries by default seems to be a low value.<br>
><br>
> You may also want to enable/increase the value of max-pending-packets at<br>
> suricata.yaml<br>
> Let us know if you find out a solution.<br>
<br>
</div>Increasing the max-pending-packets setting will automagically increase<br>
the nfq buffer sizes Suricata sets, so that would probably be a good<br>
solution.<br>
<br>
Suricata gives the following info at startup about nfq buffer sizes:<br>
<br>
[4053] 27/8/2010 -- 08:54:42 - (source-nfq.c:267) <Info> (NFQInitThread)<br>
-- binding this thread to queue '0'<br>
[4053] 27/8/2010 -- 08:54:42 - (source-nfq.c:291) <Info> (NFQInitThread)<br>
-- setting queue length to 200<br>
[4053] 27/8/2010 -- 08:54:42 - (source-nfq.c:304) <Info> (NFQInitThread)<br>
-- setting nfnl bufsize to 300000<br>
<br>
I don't think the conntrack values are related to nf_queue.<br>
<br>
Cheers,<br>
Victor<br>
<font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
</font></blockquote></div><br>