<p dir="ltr">Also the age old questions:<br>
1)amount of traffic<br>
2)hardware with FreeBSD installed.</p>
<p dir="ltr">You can do some sysctl hacks to get more network performance but it is all for not when you are trying to monitor tons of traffic.</p>
<div class="gmail_quote">On Oct 9, 2013 8:32 AM, "Victor Julien" <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 10/09/2013 02:28 PM, C. L. Martinez wrote:<br>
> Hi all,<br>
><br>
> Recently, I have installed a FreeBSD 9.2 host with suricata 1.4.6 and<br>
> returns me a lot of packets dropped by kernel:<br>
><br>
> For example after 2 minutes up:<br>
><br>
> Date: 10/9/2013 -- 12:19:50 (uptime: 0d, 00h 02m 58s)<br>
> -------------------------------------------------------------------<br>
> Counter | TM Name | Value<br>
> -------------------------------------------------------------------<br>
> capture.kernel_packets | RxPcapem41 | 3137698<br>
> capture.kernel_drops | RxPcapem41 | 2415508<br>
> capture.kernel_ifdrops | RxPcapem41 | 0<br>
><br>
> But tcp.ssn_memcap_drop and tcp.reassembly_gap:<br>
><br>
> decoder.avg_pkt_size | RxPcapem42 | 828<br>
> decoder.max_pkt_size | RxPcapem42 | 1514<br>
> defrag.ipv4.fragments | RxPcapem42 | 90<br>
> defrag.ipv4.reassembled | RxPcapem42 | 25<br>
> defrag.ipv4.timeouts | RxPcapem42 | 0<br>
> defrag.ipv6.fragments | RxPcapem42 | 0<br>
> defrag.ipv6.reassembled | RxPcapem42 | 0<br>
> defrag.ipv6.timeouts | RxPcapem42 | 0<br>
> defrag.max_frag_hits | RxPcapem42 | 0<br>
> tcp.sessions | RxPcapem42 | 308<br>
> tcp.ssn_memcap_drop | RxPcapem42 | 0<br>
> tcp.pseudo | RxPcapem42 | 23<br>
> tcp.invalid_checksum | RxPcapem42 | 0<br>
> tcp.no_flow | RxPcapem42 | 0<br>
> tcp.reused_ssn | RxPcapem42 | 0<br>
> tcp.memuse | RxPcapem42 | 6029312<br>
> tcp.syn | RxPcapem42 | 1261<br>
> tcp.synack | RxPcapem42 | 702<br>
> tcp.rst | RxPcapem42 | 565<br>
> tcp.segment_memcap_drop | RxPcapem42 | 0<br>
> tcp.stream_depth_reached | RxPcapem42 | 0<br>
> tcp.reassembly_memuse | RxPcapem42 | 11327048<br>
> tcp.reassembly_gap | RxPcapem42 | 23<br>
<br>
tcp.ssn_memcap_drop and tcp.reassembly_gap only related to memcaps, not<br>
to packet loss.<br>
<br>
> I think the problem is with interrupts:<br>
><br>
> interrupt total rate<br>
> irq1: atkbd0 6 0<br>
> irq10: em2 em3 2320880 3453<br>
> irq11: em0 em1 em4+ 1256951 1870<br>
> cpu0:timer 148773 221<br>
> cpu1:timer 148310 220<br>
> Total 3877066 5769<br>
<br>
Not sure.<br>
<br>
What runmode are you using? Also, whats your max-pending-packets setting?<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div>