<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Just to add some info to this.<div>ifconfig does not report any dropped packets.</div><div>/proc/net/pf_ring/xxx-eth0.1 reports packet drops. I assume Suricata gets that stat from there.</div><div>ethtool -S eth0 has the following:</div><div><div><span style="font-size: 12pt;">NIC statistics:</span></div><div> rcvd bad skb: 0</div><div> xmit called: 0</div><div> xmited frames: 0</div><div> xmit finished: 0</div><div> bad skb len: 0</div><div> no cmd desc: 0</div><div> polled: 0</div><div> uphappy: 3869414</div><div> updropped: 0</div><div> tx dropped: 0</div><div> csummed: 0</div><div> no rcv: 7281014949</div><div> rx bytes: 4439217322357</div><div> lro pkts: 0</div><div> tx bytes: 0</div><div> lso pkts: 0</div><div><br></div>Thank you</div><div><br><div><hr id="stopSpelling">From: coolyasha@hotmail.com<br>To: cnelson@ucsd.edu; oisf-users@lists.openinfosecfoundation.org<br>Date: Wed, 9 Dec 2015 13:36:15 +0000<br>Subject: Re: [Oisf-users] packet loss troubleshooting<br><br>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr">I am at about 10% now. So this is not good.<div>So whenever I see capture.kernel_drops this is always OS or NIC problem? Suricata itself has nothing to do with it, right?</div><div>I guess once I start seeing kernel drops, reassembly gaps start to increase. Is that correct as well?</div><div><br></div><div>I am not an expert on net.core.* buffers. Can you advise on which ones i need to increase or how to find out which ones I need to increase?</div><div><br></div><div>Thank you.<br><br><div>> Subject: Re: [Oisf-users] packet loss troubleshooting<br>> To: coolyasha@hotmail.com; oisf-users@lists.openinfosecfoundation.org<br>> From: cnelson@ucsd.edu<br>> Date: Tue, 8 Dec 2015 12:22:53 -0800<br>> <br>> -----BEGIN PGP SIGNED MESSAGE-----<br>> Hash: SHA1<br>> <br>> You are dropping packets in the kernel.<br>> <br>> If you do the math this is actually a 0.64%; which is under 1% and<br>> considered normal. You can try increasing your net.core.* buffers via<br>> sysctl, but in my experience suricata will always drops packets when<br>> being started or under a DOS/packet-flood scenario.<br>> <br>> As long as drops are under 1% over long periods you should be fine.<br>> <br>> - -Coop<br>> <br>> On 12/8/2015 7:14 AM, Yasha Zislin wrote:<br>> > I am trying to narrow down good config to reduce packet loss. It seems<br>> > that it is related to reassembly of streams.<br>> > I keep getting reassembly gaps and therefore packet loss. Here is an<br>> > example stats.log<br>> > capture.kernel_packets | RxPFReth02 | 455937792<br>> > capture.kernel_drops | RxPFReth02 | 2921250<br>> <br>> <br>> - -- <br>> Cooper Nelson<br>> Network Security Analyst<br>> UCSD ACT Security Team<br>> cnelson@ucsd.edu x41042<br>> -----BEGIN PGP SIGNATURE-----<br>> Version: GnuPG v2.0.17 (MingW32)<br>> <br>> iQEcBAEBAgAGBQJWZzwdAAoJEKIFRYQsa8FWswUIAIvugaIlM7I/Z9rAW2HKB/1D<br>> eLWsppn43PKHZhxNhcjl6GEWOrkcubi/E/Uh7dJNX4kyHek1Ee2H5cxeYRgQB2QB<br>> 2TD2gvoYsTHVcrIafg4i8vVYMbc6vHcJ0FD0s6uc5tBCCItJwwabCzCiCwuJn+gg<br>> k0U2UKMnl0w80Xa7mLBBfxVZvFg0DNRPVTSBs5xVIiX9wUGupCCP8UhqI2bWAu68<br>> QDcEaOwfwAJAYEai1lNX6RS8UG4HbRRwCB24E35kj71DUdColeYQs9tQcAD2oAQE<br>> i1Nbky9Wq1UPQ4MNM9nRM+yuFsjzEwof1KMbfToSyJcD5KxTtLwbgTq2n9kQmnE=<br>> =zN9b<br>> -----END PGP SIGNATURE-----<br></div></div> </div>
<br>_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net</div></div> </div></body>
</html>