
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">

<div><br>

</div>

<div>

<div>On 19/08/2014, at 9:56 pm, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:</div>

<br class="Apple-interchange-newline">

<blockquote type="cite">On Tue, Aug 19, 2014 at 3:12 AM, Russell Fulton <<a href="mailto:r.fulton@auckland.ac.nz">r.fulton@auckland.ac.nz</a>> wrote:<br>

<blockquote type="cite">Hi<br>

<br>

I am using pfring and suri together and I am seeing significant number (~50%) of capture.kernel_drops at peak times.<br>

<br>

capture.kernel_packets    | RxPFReth31                | 2404928581<br>

capture.kernel_drops      | RxPFReth31                | 1434169109<br>

<br>

*stats over 10 minutes)<br>

<br>

according to our cpacket switch interface is seeing about 2.5Gbps and 360K pps.<br>

<br>

This sensor is also running bro which I may well have to drop.<br>

<br>

Russell<br>

_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">

oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">

http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">

https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/">http://www.openinfosecfoundation.org/</a><br>

</blockquote>

<br>

<br>

Hi,<br>

<br>

I think you might need to do some tuning.<br>

What does your memcaps and timeouts look like in suricata.yaml.<br>

</blockquote>

<div><br>

</div>

<div><br>

</div>

<div>

<div style="margin: 0px; font-size: 11px; font-family: Menlo;">flow:</div>

<div style="margin: 0px; font-size: 11px; font-family: Menlo;">  <span style="color: #ffffff; background-color: #000000">

memcap</span>: 128mb</div>

<div style="margin: 0px; font-size: 11px; font-family: Menlo;">  hash-size: 65536</div>

<div style="margin: 0px; font-size: 11px; font-family: Menlo;">  prealloc: 10000</div>

<div style="margin: 0px; font-size: 11px; font-family: Menlo;">  emergency-recovery: 30</div>

<div style="margin: 0px; font-size: 11px; font-family: Menlo; min-height: 13px;">

<div style="margin: 0px;">flow-timeouts:</div>

<div style="margin: 0px; min-height: 13px;"><br>

</div>

<div style="margin: 0px;">  default:</div>

<div style="margin: 0px;">    new: 30</div>

<div style="margin: 0px;">    established: 300</div>

<div style="margin: 0px;">    closed: 0</div>

<div style="margin: 0px;">    emergency-new: 10</div>

<div style="margin: 0px;">    emergency-established: 100</div>

<div style="margin: 0px;">    emergency-closed: 0</div>

<div style="margin: 0px;">  tcp:</div>

<div style="margin: 0px;">    new: 60</div>

<div style="margin: 0px;">    established: 3600</div>

<div style="margin: 0px;">    closed: 120</div>

<div style="margin: 0px;">    emergency-new: 10</div>

<div style="margin: 0px;">    emergency-established: 300</div>

<div style="margin: 0px;">    emergency-closed: 20</div>

<div style="margin: 0px;">  udp:</div>

<div style="margin: 0px;">    new: 30</div>

<div style="margin: 0px;">    established: 300</div>

<div style="margin: 0px;">    emergency-new: 10</div>

<div style="margin: 0px;">    emergency-established: 100</div>

<div style="margin: 0px;">  icmp:</div>

<div style="margin: 0px;">    new: 30</div>

<div style="margin: 0px;">    established: 300</div>

<div style="margin: 0px;">    emergency-new: 10</div>

<div style="margin: 0px;">    emergency-established: 100</div>

<div>

<div style="margin: 0px;">stream:</div>

<div style="margin: 0px;">  <span style="color: #ffffff; background-color: #000000">

memcap</span>: 32mb</div>

<div style="margin: 0px;">  checksum-validation: yes      # reject wrong csums</div>

<div style="margin: 0px;">  inline: no                    # no inline mode</div>

<div style="margin: 0px;">  reassembly:</div>

<div style="margin: 0px;">    <span style="color: #ffffff; background-color: #000000">

memcap</span>: 64mb</div>

<div style="margin: 0px;">    depth: 1mb                  # reassemble 1mb into a stream</div>

<div style="margin: 0px;">    toserver-chunk-size: 2560</div>

<div style="margin: 0px;">    toclient-chunk-size: 2560</div>

<div style="margin: 0px; min-height: 13px;"><br>

</div>

<div style="margin: 0px;"># Host table:</div>

<div style="margin: 0px;">#</div>

<div style="margin: 0px;"># Host table is used by tagging and per host thresholding subsystems.</div>

<div style="margin: 0px;">#</div>

<div style="margin: 0px;">host:</div>

<div style="margin: 0px;">  hash-size: 4096</div>

<div style="margin: 0px;">  prealloc: 1000</div>

<div style="margin: 0px;">  <span style="color: #ffffff; background-color: #000000">

memcap</span>: 16777216</div>

</div>

<div><br>

</div>

</div>

</div>

<br>

<blockquote type="cite">What are your buffers for pf_ring? Which pf_ring version are you running?<br>

</blockquote>

<div><br>

</div>

<div>not sure how i find this out?  I am using pfring from the SO distribution</div>

<br>

<blockquote type="cite">How many pps do you have?<br>

</blockquote>

<div><br>

</div>

<div>order of 350Kpps</div>

<div><br>

</div>

<br>

<blockquote type="cite"><br>

thanks<br>

<br>

<br>

-- <br>

Regards,<br>

Peter Manev<br>

</blockquote>

</div>

<br>

</body>

</html>