<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>Just a thought - do you have something like smokeping in your network?</div><div><br></div><div>A CPU or two pegged while everything else is almost idle, with a high drop count could be either an elephant flow or this:</div><div><br></div><div><a href="https://github.com/inliniac/suricata/commit/0a22ba7e23deef9ab432d048828169f663dd247b">https://github.com/inliniac/suricata/commit/0a22ba7e23deef9ab432d048828169f663dd247b</a></div><div><br></div><div>Elephant flow means something like a data copy between a pair of hosts, over a single pair of ports, at a high speed. It would land on a single CPU, saturating it.</div><div><br></div><div>Also, which kernel version do you use?</div><div><br>On 01 Mar 2016, at 07:47, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><span>On Mon, Feb 29, 2016 at 10:37 PM, Barkley, Joey</span><br><span><<a href="mailto:Joey.Barkley@ingramcontent.com">Joey.Barkley@ingramcontent.com</a>> wrote:</span><br><blockquote type="cite"><span>All,</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I've done some tweaking to my test instance but can't seem to get it running</span><br></blockquote><blockquote type="cite"><span>properly. Here is what I did:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>1) Took the dev-detect-grouping-v174 branch and merged master (as of this</span><br></blockquote><blockquote type="cite"><span>morning, 2016-02-29) into it.</span><br></blockquote><span></span><br><span>I would suggest do it step by step - in order to avoid excessive</span><br><span>troubleshooting if needed.</span><br><span>So start with just the dev-detect-grouping-v174 branch - but if you</span><br><span>start with that I would recommend the latest branch -</span><br><span>dev-detect-grouping-v178 branch -</span><br><span><a href="https://github.com/inliniac/suricata/tree/dev-detect-grouping-v178">https://github.com/inliniac/suricata/tree/dev-detect-grouping-v178</a></span><br><span></span><br><span></span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>2) Built Suricata and used my normal config file, but made the required</span><br></blockquote><blockquote type="cite"><span>changes in the "detect" section.</span><br></blockquote><span></span><br><span>What changes are those exactly? Can you share that section of the suricata.yaml?</span><br><span></span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>    a. I tried the default (profile medium, toclient 3, toserver 25) but</span><br></blockquote><blockquote type="cite"><span>then also changed to 30 and 250 just to test. Same results with both.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><span></span><br><span>How many rules do you load?(or are you trying with no rules as a test)</span><br><span></span><br><blockquote type="cite"><span>3) I have 8 threads set, and I have management cpu set to 0,2 and detect cpu</span><br></blockquote><blockquote type="cite"><span>set to 4-14 (even number cores).</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>4) management cpu set is exclusive and high, so is detect cpu set</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Suricata starts up very quickly (few seconds) and consumes very little RAM.</span><br></blockquote><blockquote type="cite"><span>However, I get cpu 0 with a very small use %, and cpu's 4 & 14 pegged at</span><br></blockquote><blockquote type="cite"><span>100%. kernel_drops are extremely high (compared to my working config).</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><span></span><br><span>This is - cpu's 4 and 14 are only pegged - not 4 through 14 (even</span><br><span>numbers only), is that correct?</span><br><span></span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I know I've got a lot of variables in this setup, but does anyone see</span><br></blockquote><blockquote type="cite"><span>anything obviously wrong with how I've set things up? Should I stop</span><br></blockquote><blockquote type="cite"><span>separating out the management CPU set and just run them on the CPUs that the</span><br></blockquote><blockquote type="cite"><span>detect threads run on?</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Thanks,</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Joey Barkley</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br></blockquote><blockquote type="cite"><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br></blockquote><blockquote type="cite"><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br></blockquote><blockquote type="cite"><span>Suricata User Conference November 9-11 in Washington, DC:</span><br></blockquote><blockquote type="cite"><span><a href="http://oisfevents.net">http://oisfevents.net</a></span><br></blockquote><span></span><br><span></span><br><span></span><br><span>-- </span><br><span>Regards,</span><br><span>Peter Manev</span><br><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span>Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net">http://oisfevents.net</a></span></div></blockquote></body></html>