<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Monaco;
panose-1:2 0 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.m382500437436174057crayon-sy
{mso-style-name:m_382500437436174057crayon-sy;}
span.m382500437436174057crayon-e
{mso-style-name:m_382500437436174057crayon-e;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Big fan. Long time listener, first time caller. :-)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Revisiting suricata for new needs. I am experiencing a large number of kernel_drops.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It is likely due to ...<o:p></o:p></p>
<p class="MsoNormal">1) the mysterious failure of my 4.10 kernel to process af_packet fanout.
</p>
<p class="MsoNormal"> - I used https://github.com/JustinAzoff/can-i-use-afpacket-fanout to make that diagnosis.<o:p></o:p></p>
<p class="MsoNormal">2) the presence of multiple receive queues in the vmxnet3 ethernet device (vmware)</p>
<p class="MsoNormal"> - I MAY have worked around that, see OS/DEVICE DETAILS. I tried setting the indirection table to use one queue. Ummm, …. I think. :-)
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I just do not know whether kernel_drops are the/a symptom of these 2 issues. Details below.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thx for great tool. Thx for any help</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> hunter<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">STATS.LOG<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">---------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ grep -B5 drops /var/log/suricata/stats.log | tail -6<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">Date: 8/2/2017 -- 23:14:56 (uptime: 1d, 02h 39m 00s)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">-----------------------------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">Counter | TM Name | Value<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">------------------------------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">capture.kernel_packets | Total | 3326654970<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">capture.kernel_drops | Total | 19183864<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">OS/DEVICE DETAILS<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">-----------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">(kernel updated via "apt-get install linux-image-generic-hwe-16.04")<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">16 cpu/32GB RAM running on vmware<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ cat /etc/os-release | head -2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">NAME="Ubuntu"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">VERSION="16.04.2 LTS (Xenial Xerus)"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ uname -a<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">Linux vcasuricatap01 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ ethtool -i ens224<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">driver: vmxnet3<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">version: 1.4.a.0-k-NAPI<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ ethtool -n ens224<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">8 RX rings available<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ ethtool -x ens224<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">RX flow hash indirection table for ens224 with 8 RX ring(s):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"> 0: 0 0 0 0 0 0 0 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"> 8: 0 0 0 0 0 0 0 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"> 16: 0 0 0 0 0 0 0 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"> 24: 0 0 0 0 0 0 0 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">RSS hash key:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">SURICATA DETAILS (installed via apt-get)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">----------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ suricata --build-info<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">This is Suricata version 3.2.3 RELEASE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON
TLS MAGIC<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">SIMD support: none<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">Atomic intrisics: 1 2 4 8 byte(s)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">64-bits, Little-endian architecture<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">GCC version 5.4.0 20160609, C version 199901<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">compiled with _FORTIFY_SOURCE=2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">L1 cache line size (CLS)=64<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">thread local storage method: __thread<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">FANOUT TEST<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">-----------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ sudo ./can-i-use-afpacket-fanout -interface ens224 2>&1 | grep Final<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">2017/08/02 23:12:59 Final Stats: packets=1506 flows=101 success_flows=15 failed_flows=63 pkt_success=357 pkt_reverse_success=229 pkt_failures=1048 pkt_reverse_failures=904<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">RUN DETAILS<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">-----------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">I did not set runmode “workers” explicitly, but the smooth<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">distribution across all 16 cpus makes me pretty sure that was the setting in play<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ ps aux | grep suricata<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">root 7749 59.6 0.4 1619732 151048 ? Ssl 23:24 0:06 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv --disable-detection<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">CONFIG FILE DETAIL (af-packet)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">-------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">af-packet:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"> - interface: ens224<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"> cluster-id: 99<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"> cluster-type: cluster_flow<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"> defrag: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"> use-mmap: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">NETWORK LOAD<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">--------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">$ sar -n DEV 10 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">Linux 4.10.0-28-generic (vcasuricatap01) 08/02/17 _x86_64_ (16 CPU)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">23:30:17 IFACE rxpck/s txpck/s rxkB/s txkB/s<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif">23:30:27 ens224 53178.80 0.00 44525.42 0.00<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Monaco",sans-serif"><o:p> </o:p></span></p>
</div>
</body>
</html>