<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Peter,<div><br></div><div>So I've found this article: <a href="https://home.regit.org/2013/11/using-linux-perf-tools-for-suricata-performance-analysis/" target="_blank">https://home.regit.org/2013/11/using-linux-perf-tools-for-suricata-performance-analysis/</a></div><div>Decided to give it a shot to see at which process exactly is the CPU saturation. I've recompiled suricata with that configure flag.</div><div>After I've started the service on my problematic sensor, packet loss disappeared. Not sure what to think here. It is possible traffic might have changed but highly unlikely.</div><div>BTW, perf top is still not showing suricata methods/functions even with that flag enabled.</div><div><br></div><div>I dont recall but I think i did try suricata 3.0 with the same result.</div><div><br></div><div>I will leave this sensor for now since it is working.<br><br><div>> Subject: Re: [Oisf-users] unusual packet loss<br>> From: petermanev@gmail.com<br>> To: coolyasha@hotmail.com<br>> CC: oisf-users@lists.openinfosecfoundation.org<br>> Date: Sat, 2 Jan 2016 14:09:07 +0100<br>> <br>> On Thu, 2015-12-24 at 12:09 +0000, Yasha Zislin wrote:<br>> > I have 4 threads running to monitor one interface. One of the threads<br>> > is consuming 100% CPU and starts to have packet loss. Other 3 have<br>> > zero packet loss.<br>> <br>> I was afraid that it is the "management" thread(s) that does this - but<br>> it is not :)<br>> <br>> Which pf_ring version are you employing? (I had a similar case with an<br>> older version - not sure if it is pf_ring though)<br>> <br>> Sometimes UDP load balancing on the NIC helps - <br>> ethtool -N eth1 rx-flow-hash udp4 sdfn<br>> ethtool -N eth1 rx-flow-hash udp6 sdfn<br>> <br>> Very curious if you experience the same issue with 3.0RC3 ?<br>> <br>> Thanks<br>> <br>> > <br>> > > Date: Wed, 23 Dec 2015 22:36:44 +0100<br>> > > Subject: Re: [Oisf-users] unusual packet loss<br>> > > From: petermanev@gmail.com<br>> > > To: coolyasha@hotmail.com<br>> > > CC: oisf-users@lists.openinfosecfoundation.org<br>> > > <br>> > > On Wed, Dec 23, 2015 at 3:36 PM, Yasha Zislin<br>> > <coolyasha@hotmail.com> wrote:<br>> > > > I am running Suricata 2.1beta4 with PF_RING.<br>> > > > I have 4 threads (4 logical CPUs) monitoring one interface. After<br>> > a few<br>> > > > minutes of running, I get 50% packet loss.<br>> > > > I have tweaked all of the stream reassembly buffers to avoid<br>> > packet loss.<br>> > > > Only one of the threads gets kernel packet drops. I've noticed<br>> > that one CPU<br>> > > > is running at 100% and others are almost idle. Looking at<br>> > stats.log, that<br>> > > > one thread for some reason is digesting more packets than others.<br>> > > > Throughput on this sensor is not that big. About 500k packets a<br>> > minute. I<br>> > > > use this image on other sensors without issues.<br>> > > ><br>> > > > Need help to figure out why only one thread is doing MOST of the<br>> > work.<br>> > > <br>> > > Can you share "top -H" screenshot ?<br>> > > <br>> > > ><br>> > > > Thank you.<br>> > > ><br>> > > > _______________________________________________<br>> > > > Suricata IDS Users mailing list:<br>> > oisf-users@openinfosecfoundation.org<br>> > > > Site: http://suricata-ids.org | Support:<br>> > http://suricata-ids.org/support/<br>> > > > List:<br>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> > > > Suricata User Conference November 4 & 5 in Barcelona:<br>> > http://oisfevents.net<br>> > > <br>> > > <br>> > > <br>> > > -- <br>> > > Regards,<br>> > > Peter Manev<br>> > <br>> <br>> -- <br>> Regards,<br>> Peter Manev<br>> <br></div></div> </div></body>
</html>