<div dir="ltr">Hi,<div><br></div><div>I am pretty new to Suricata and started to play around with it.</div><div>I have Suricata 4.0.4 running on a CentOS7 box, that has 20 cores (40 on-line cpus) and an intel <span style="font-family:Arial,sans-serif;font-size:13.3333px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> X710 NIC, and 64GB RAM.</span></div><div><span style="font-family:Arial,sans-serif;font-size:13.3333px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="font-family:Arial,sans-serif;font-size:13.3333px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I am using AF_Packet with following settings, with some other mentioned settings:</span></div><div><span style="font-family:Arial,sans-serif;font-size:13.3333px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div><font face="Arial, sans-serif"><span style="font-size:13.3333px"># Linux high speed capture support</span></font></div><div><font face="Arial, sans-serif"><span style="font-size:13.3333px">af-packet:</span></font></div><div><font face="Arial, sans-serif"><span style="font-size:13.3333px">  - interface: em1</span></font></div><div><span style="font-size:13.3333px;font-family:Arial,sans-serif">    threads: 24</span><br></div><div><font face="Arial, sans-serif"><span style="font-size:13.3333px">   </span></font><span style="font-size:13.3333px;font-family:Arial,sans-serif"> cluster-id: 99</span></div><div><div style="font-family:Arial,sans-serif;font-size:13.3333px">    cluster-type: cluster_cpu</div><div style="font-family:Arial,sans-serif;font-size:13.3333px"><span style="font-size:13.3333px">    defrag: yes</span><br></div><div style="font-family:Arial,sans-serif;font-size:13.3333px"><span style="font-size:13.3333px">    use-mmap: yes</span><br></div><div><div><font face="Arial, sans-serif"><span style="font-size:13.3333px">    ring-size: 30000</span></font></div></div><div style="font-family:Arial,sans-serif;font-size:13.3333px"><br></div></div><div style="font-family:Arial,sans-serif;font-size:13.3333px">......</div><div style="font-family:Arial,sans-serif;font-size:13.3333px"><br></div></span></div><div><span style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><font face="Arial, sans-serif"><span style="font-size:13.3333px">max-pending-packets: 10000</span></font><br></span></div><div><span style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><font face="Arial, sans-serif"><span style="font-size:13.3333px">runmode: workers</span><br></font></span></div><div><span style="text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><font face="Arial, sans-serif"><div style="background-color:rgb(255,255,255)"><span style="font-size:13.3333px">mpm-algo: auto</span></div><div style="background-color:rgb(255,255,255)"><div style="font-size:13.3333px">threading:</div><div style="font-size:13.3333px">  set-cpu-affinity: yes</div><div style="font-size:13.3333px"><span style="font-size:13.3333px">  cpu-affinity:</span><br></div><div style="font-size:13.3333px">    - management-cpu-set:</div><div style="font-size:13.3333px">        cpu: [ "all" ]  # include only these cpus in affinity settings</div><div style="font-size:13.3333px">        mode: "balanced"</div><div style="font-size:13.3333px">        prio:</div><div style="font-size:13.3333px">          default: "low"</div><div style="font-size:13.3333px">    - receive-cpu-set:</div><div style="font-size:13.3333px">        cpu: [ 0 ]  # include only these cpus in affinity settings</div><div style="font-size:13.3333px">    - worker-cpu-set:</div><div style="font-size:13.3333px">        cpu: [ "all" ]</div><div style="font-size:13.3333px">        mode: "exclusive"</div><div style="font-size:13.3333px"><span style="font-size:13.3333px">        prio:</span><br></div><div style="font-size:13.3333px">          low: [ 0 ]</div><div style="font-size:13.3333px">          medium: [ "1-2" ]</div><div style="font-size:13.3333px">          high: [ 3 ]</div><div style="font-size:13.3333px">          default: "medium"</div><div style="font-size:13.3333px"><br></div><div><div><span style="font-size:13.3333px">detect-thread-ratio: 1.0</span></div><div style="font-size:13.3333px"><br></div></div></div><div style="background-color:rgb(255,255,255);font-size:13.3333px"><br></div><div style="background-color:rgb(255,255,255);font-size:13.3333px">I am monitoring a ~5GBps link and getting high kernel_drop packets seen in stats.log:</div></font><div style=""><font face="Arial, sans-serif"><div style="font-size:13.3333px;background-color:rgb(255,255,255)">capture.kernel_packets                     | Total                     | 301360376</div><div style="font-size:13.3333px;background-color:rgb(255,255,255)">capture.kernel_drops                       | Total                     | 67468903</div><div style="font-size:13.3333px;background-color:rgb(255,255,255)"><br></div><div style="font-size:13.3333px;background-color:rgb(255,255,255)">Any idea how can I reduce the kernel drop rate of packets? or how can I check if af_packet threads are working correctly?</div><div style="font-size:13.3333px;background-color:rgb(255,255,255)"><br></div><div style="font-size:13.3333px;background-color:rgb(255,255,255)">I have also disabled the checksuming on the ethernet interface:</div><div style="font-size:13.3333px;background-color:rgb(255,255,255)">#

<span style="color:rgb(51,51,51);font-family:"Lucida Grande","Lucida Sans",Verdana,Arial,sans-serif;text-align:left;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">ethtool -K em1 rx off tx off tso off sg off gso off gro off</span>

</div><div style="font-size:13.3333px;background-color:rgb(255,255,255)"><span style="color:rgb(51,51,51);font-family:"Lucida Grande","Lucida Sans",Verdana,Arial,sans-serif;text-align:left;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div></font>Any help appreciated.<br><br>Thanks,<br>Fatema.</div><font face="Arial, sans-serif"><div style="background-color:rgb(255,255,255);font-size:13.3333px"><br></div></font></span></div></div>