<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>It's weird but I've reverted back to my regular compilation image and packet loss is completely gone. Hard to say if traffic changed or not, but I dont have this issue anymore.<div><br></div><div>Thanks for providing CFLAGS link. <br><br><div>> Date: Fri, 8 Jan 2016 12:55:17 +0100<br>> Subject: Re: [Oisf-users] unusual packet loss<br>> From: petermanev@gmail.com<br>> To: coolyasha@hotmail.com<br>> CC: oisf-users@lists.openinfosecfoundation.org<br>> <br>> On Thu, Jan 7, 2016 at 2:10 PM, Yasha Zislin <coolyasha@hotmail.com> wrote:<br>> > Peter,<br>> ><br>> > So I've found this article:<br>> > https://home.regit.org/2013/11/using-linux-perf-tools-for-suricata-performance-analysis/<br>> > Decided to give it a shot to see at which process exactly is the CPU<br>> > saturation. I've recompiled suricata with that configure flag.<br>> > After I've started the service on my problematic sensor, packet loss<br>> > disappeared. Not sure what to think here. It is possible traffic might have<br>> <br>> Interesting... can you reproduce that consistently? I mean if you do<br>> the recompile switch with/without the flag the drops would<br>> appear/disappear ?<br>> <br>> Please have a look here for some CFLAGS explanations -<br>> https://gcc.gnu.org/onlinedocs/gcc-3.2/gcc/Optimize-Options.html<br>> <br>> <br>> > changed but highly unlikely.<br>> > BTW, perf top is still not showing suricata methods/functions even with that<br>> > flag enabled.<br>> ><br>> > I dont recall but I think i did try suricata 3.0 with the same result.<br>> ><br>> > I will leave this sensor for now since it is working.<br>> ><br>> >> Subject: Re: [Oisf-users] unusual packet loss<br>> >> From: petermanev@gmail.com<br>> >> To: coolyasha@hotmail.com<br>> >> CC: oisf-users@lists.openinfosecfoundation.org<br>> >> Date: Sat, 2 Jan 2016 14:09:07 +0100<br>> ><br>> >><br>> >> On Thu, 2015-12-24 at 12:09 +0000, Yasha Zislin wrote:<br>> >> > I have 4 threads running to monitor one interface. One of the threads<br>> >> > is consuming 100% CPU and starts to have packet loss. Other 3 have<br>> >> > zero packet loss.<br>> >><br>> >> I was afraid that it is the "management" thread(s) that does this - but<br>> >> it is not :)<br>> >><br>> >> Which pf_ring version are you employing? (I had a similar case with an<br>> >> older version - not sure if it is pf_ring though)<br>> >><br>> >> Sometimes UDP load balancing on the NIC helps -<br>> >> ethtool -N eth1 rx-flow-hash udp4 sdfn<br>> >> ethtool -N eth1 rx-flow-hash udp6 sdfn<br>> >><br>> >> Very curious if you experience the same issue with 3.0RC3 ?<br>> >><br>> >> Thanks<br>> >><br>> >> ><br>> >> > > Date: Wed, 23 Dec 2015 22:36:44 +0100<br>> >> > > Subject: Re: [Oisf-users] unusual packet loss<br>> >> > > From: petermanev@gmail.com<br>> >> > > To: coolyasha@hotmail.com<br>> >> > > CC: oisf-users@lists.openinfosecfoundation.org<br>> >> > ><br>> >> > > On Wed, Dec 23, 2015 at 3:36 PM, Yasha Zislin<br>> >> > <coolyasha@hotmail.com> wrote:<br>> >> > > > I am running Suricata 2.1beta4 with PF_RING.<br>> >> > > > I have 4 threads (4 logical CPUs) monitoring one interface. After<br>> >> > a few<br>> >> > > > minutes of running, I get 50% packet loss.<br>> >> > > > I have tweaked all of the stream reassembly buffers to avoid<br>> >> > packet loss.<br>> >> > > > Only one of the threads gets kernel packet drops. I've noticed<br>> >> > that one CPU<br>> >> > > > is running at 100% and others are almost idle. Looking at<br>> >> > stats.log, that<br>> >> > > > one thread for some reason is digesting more packets than others.<br>> >> > > > Throughput on this sensor is not that big. About 500k packets a<br>> >> > minute. I<br>> >> > > > use this image on other sensors without issues.<br>> >> > > ><br>> >> > > > Need help to figure out why only one thread is doing MOST of the<br>> >> > work.<br>> >> > ><br>> >> > > Can you share "top -H" screenshot ?<br>> >> > ><br>> >> > > ><br>> >> > > > Thank you.<br>> >> > > ><br>> >> > > > _______________________________________________<br>> >> > > > Suricata IDS Users mailing list:<br>> >> > oisf-users@openinfosecfoundation.org<br>> >> > > > Site: http://suricata-ids.org | Support:<br>> >> > http://suricata-ids.org/support/<br>> >> > > > List:<br>> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> >> > > > Suricata User Conference November 4 & 5 in Barcelona:<br>> >> > http://oisfevents.net<br>> >> > ><br>> >> > ><br>> >> > ><br>> >> > > --<br>> >> > > Regards,<br>> >> > > Peter Manev<br>> >> ><br>> >><br>> >> --<br>> >> Regards,<br>> >> Peter Manev<br>> >><br>> <br>> <br>> <br>> -- <br>> Regards,<br>> Peter Manev<br></div></div> </div></body>
</html>