<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">Sure, </div>
<div class=""><br class="">
</div>
<div class="">Some specs</div>
<div class=""><br class="">
</div>
<div class="">Machine </div>
<div class="">Dell R430</div>
<div class="">2x14 core Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz</div>
<div class="">35M L3 cache</div>
<div class="">128G Ram</div>
<div class="">Intel X520 ethernet card</div>
<div class=""><br class="">
</div>
<div class="">OS - Ubuntu 16.04.1 LTS</div>
<div class="">Kernel - 4.4.0-59-generic</div>
<div class="">Intel(R) 10GbE PCI Express Linux Network Driver - version 4.4.6</div>
<div class=""><br class="">
</div>
<div class="">Suricata seems to be using about 40.5G resident memory.</div>
<div class=""><br class="">
</div>
<div class="">Last stat update -</div>
<div class=""><br class="">
</div>
<div class="">The tcp.reassembly_memuse appears to be enormous ?16Pb?. Doesn’t seem right.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">------------------------------------------------------------------------------------</div>
<div class="">Date: 2/1/2017 -- 08:50:29 (uptime: 0d, 23h 31m 08s)</div>
<div class="">------------------------------------------------------------------------------------</div>
<div class="">Counter | TM Name | Value</div>
<div class="">------------------------------------------------------------------------------------</div>
<div class="">capture.kernel_packets | Total | 22604957367</div>
<div class="">capture.kernel_drops | Total | 40166</div>
<div class="">decoder.pkts | Total | 22605130865</div>
<div class="">decoder.bytes | Total | 22092883178348</div>
<div class="">decoder.invalid | Total | 4199422</div>
<div class="">decoder.ipv4 | Total | 22606546275</div>
<div class="">decoder.ipv6 | Total | 15489763</div>
<div class="">decoder.ethernet | Total | 22605131052</div>
<div class="">decoder.tcp | Total | 18070722539</div>
<div class="">decoder.udp | Total | 4281815803</div>
<div class="">decoder.icmpv4 | Total | 22078766</div>
<div class="">decoder.icmpv6 | Total | 8290</div>
<div class="">decoder.ppp | Total | 147901356</div>
<div class="">decoder.gre | Total | 149364919</div>
<div class="">decoder.teredo | Total | 15471659</div>
<div class="">decoder.avg_pkt_size | Total | 977</div>
<div class="">decoder.max_pkt_size | Total | 16591</div>
<div class="">defrag.ipv4.fragments | Total | 3</div>
<div class="">defrag.ipv6.fragments | Total | 115</div>
<div class="">defrag.ipv6.reassembled | Total | 28</div>
<div class="">decoder.icmpv4.ipv4_trunc_pkt | Total | 6</div>
<div class="">decoder.icmpv4.ipv4_unknown_ver | Total | 451</div>
<div class="">decoder.tcp.hlen_too_small | Total | 6276</div>
<div class="">decoder.tcp.invalid_optlen | Total | 230</div>
<div class="">decoder.tcp.opt_invalid_len | Total | 608</div>
<div class="">decoder.udp.pkt_too_small | Total | 16</div>
<div class="">decoder.udp.hlen_invalid | Total | 4191833</div>
<div class="">decoder.gre.version0_recur | Total | 1</div>
<div class="">decoder.gre.version1_flags | Total | 1</div>
<div class="">tcp.sessions | Total | 252444206</div>
<div class="">tcp.ssn_memcap_drop | Total | 42676</div>
<div class="">tcp.pseudo | Total | 10488865</div>
<div class="">tcp.invalid_checksum | Total | 124112</div>
<div class="">tcp.syn | Total | 301974943</div>
<div class="">tcp.synack | Total | 117698991</div>
<div class="">tcp.rst | Total | 108761603</div>
<div class="">tcp.segment_memcap_drop | Total | 1292430868</div>
<div class="">tcp.stream_depth_reached | Total | 12508</div>
<div class="">tcp.reassembly_gap | Total | 227951862</div>
<div class="">detect.alert | Total | 2333041</div>
<div class="">app_layer.flow.http | Total | 4769888</div>
<div class="">app_layer.tx.http | Total | 11055214</div>
<div class="">app_layer.flow.smtp | Total | 1</div>
<div class="">app_layer.tx.smtp | Total | 577624</div>
<div class="">app_layer.flow.tls | Total | 8893548</div>
<div class="">app_layer.flow.ssh | Total | 518339</div>
<div class="">app_layer.flow.smb | Total | 34653</div>
<div class="">app_layer.flow.dcerpc_tcp | Total | 24</div>
<div class="">app_layer.flow.dns_tcp | Total | 11861</div>
<div class="">app_layer.tx.dns_tcp | Total | 4980</div>
<div class="">app_layer.flow.failed_tcp | Total | 6015530</div>
<div class="">app_layer.flow.dcerpc_udp | Total | 18464</div>
<div class="">app_layer.flow.dns_udp | Total | 55013837</div>
<div class="">app_layer.tx.dns_udp | Total | 18797149</div>
<div class="">app_layer.flow.failed_udp | Total | 46908581</div>
<div class="">flow_mgr.closed_pruned | Total | 77180292</div>
<div class="">flow_mgr.new_pruned | Total | 348444456</div>
<div class="">flow_mgr.est_pruned | Total | 35974852</div>
<div class="">flow.spare | Total | 12132</div>
<div class="">flow.emerg_mode_entered | Total | 2417</div>
<div class="">flow.emerg_mode_over | Total | 2417</div>
<div class="">flow.tcp_reuse | Total | 336896</div>
<div class="">flow_mgr.flows_checked | Total | 101564</div>
<div class="">flow_mgr.flows_notimeout | Total | 99325</div>
<div class="">flow_mgr.flows_timeout | Total | 2239</div>
<div class="">flow_mgr.flows_timeout_inuse | Total | 30</div>
<div class="">flow_mgr.flows_removed | Total | 2209</div>
<div class="">flow_mgr.rows_checked | Total | 65536</div>
<div class="">flow_mgr.rows_skipped | Total | 52198</div>
<div class="">flow_mgr.rows_maxlen | Total | 21</div>
<div class="">tcp.memuse | Total | 40454272</div>
<div class="">tcp.reassembly_memuse | Total | 18446744073614294924</div>
<div class="">dns.memuse | Total | 16901536</div>
<div class="">dns.memcap_global | Total | 78771302</div>
<div class="">http.memuse | Total | 15319405</div>
flow.memuse | Total | 129957280
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Jeffrey Collyer<br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Information Security Engineer<br class="">
University of Virginia<br class="">
434-297-6317</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Feb 1, 2017, at 8:49 AM, Peter Manev <<a href="mailto:petermanev@gmail.com" class="">petermanev@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><span style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">On
Wed, Feb 1, 2017 at 2:31 PM, Collyer, Jeffrey W. (jwc3f)</span><br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class=""><</span><a href="mailto:jwc3f@virginia.edu" style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">jwc3f@virginia.edu</a><span style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">>
wrote:</span><br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">
So I’ve followed the 10G tuning guide, to what looks like great success.<br class="">
This is on a Intel X520 card with AF_PACKET and 1 RSS queue. The traffic<br class="">
load fluctuates between 4 and a peak of about 8 Gbps.<br class="">
</blockquote>
<br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Out
of curiosity what specs do you have - for CPU/RAM/OS/kernel?</span><br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">
<br class="">
capture.kernel_packets | Total |<br class="">
22028847471<br class="">
capture.kernel_drops | Total |<br class="">
40166<br class="">
decoder.pkts | Total<br class="">
| 22028920807<br class="">
<br class="">
</blockquote>
<br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Can
you please paste the last (full section ) log update?</span><br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">
<br class="">
In digging around further, netstat -s show about 3% of packet reassemblies<br class="">
failing. Is this normal? This is my first foray into 10G capture and I<br class="">
don’t know what is normal at what level of diagnostic yet, and was hoping<br class="">
someone with more experience could tell me if this was a problem or not.<br class="">
<br class="">
I expanded the ipfrag_high_thresh kernel memory to try to allow more memory<br class="">
for packet reassmembly in case that was a factor.<br class="">
<br class="">
# expand ip_frag threshod to help packet reassembly<br class="">
net.ipv4.ipfrag_high_thresh = 8388608<br class="">
<br class="">
Ip:<br class="">
4509211 total packets received<br class="">
0 forwarded<br class="">
0 incoming packets discarded<br class="">
3351761 incoming packets delivered<br class="">
2369930 requests sent out<br class="">
121777 fragments dropped after timeout<br class="">
258550565 reassemblies required<br class="">
72996695 packets reassembled ok<br class="">
7823209 packet reassembles failed<br class="">
<br class="">
Thanks for any advice.<br class="">
Jeff<br class="">
<br class="">
<br class="">
Jeffrey Collyer<br class="">
Information Security Engineer<br class="">
University of Virginia<br class="">
434-297-6317<br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
Suricata IDS Users mailing list:<span class="Apple-converted-space"> </span><a href="mailto:oisf-users@openinfosecfoundation.org" class="">oisf-users@openinfosecfoundation.org</a><br class="">
Site:<span class="Apple-converted-space"> </span><a href="http://suricata-ids.org/" class="">http://suricata-ids.org</a><span class="Apple-converted-space"> </span>| Support:<span class="Apple-converted-space"> </span><a href="http://suricata-ids.org/support/" class="">http://suricata-ids.org/support/</a><br class="">
List:<span class="Apple-converted-space"> </span><a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" class="">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="">
<br class="">
</blockquote>
<br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">--<span class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Regards,</span><br style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Peter
Manev</span></div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>