<div dir="ltr">Hi,<div><br></div><div>Based on the instance type and interface name, you're most likely using enhanced networking, but, to be on the safe side, can you confirm?</div><div><br></div><div>$ modinfo ena<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 23, 2019 at 3:07 AM 徐慧 <<a href="mailto:xuh881026@gmail.com">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>hi, team:<br> Since AWS traffic mirroring uses a VxLAN tunnel, I have to use the 5.0dev version. i deployed Sruicata on AWS, but recently noticed that 'capture. Kernel_drops' appears in stats.log when traffic reaches 2Gbit/s. I tried rsync a large file, 'capture. Kernel_drops' appears in stats.log. default loading ET rules.<br> I hope anyone can help me, any advice is good! Guys, I need your help very much. <br> <br> # Client rsync files<br> $ rsync -trovpgP xxx.tgz /usr/local/data/xxx.tgz<br> sending incremental file list<br> xxx.tgz<br> 3,361,243,136 51% 114.14MB/s 0:00:27<br><br> # Suricata Server:<br> $ suricata --af-packet -c /etc/suricata/suricata.yaml<br> [24073] 23/8/2019 -- 01:51:19 - (tm-threads.c:2145) <Notice> (TmThreadWaitOnThreadInit) -- all 14 packet processing threads, 4 management threads initialized, engine started.<br> [24073] 23/8/2019 -- 01:53:58 - (suricata.c:2851) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.<br> [24073] 23/8/2019 -- 01:54:01 - (util-device.c:317) <Notice> (LiveDeviceListClean) -- Stats for 'ens5': pkts: 11270384, drop: 2046365 (18.16%), invalid chksum: 0<br><br> According to the official documentation, I made some optimizations.<br> <a href="https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#rss" target="_blank">https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#rss</a><br> But I can't set RSS queues to 1<br> ethtool -L ens5 combined 1<br> Cannot set device channel parameters: Operation not supported<br><br> Amazon EC2 C5<br> EC2 Hardware:<br> RAM: 32G<br> CPU(single): 16 Core (Intel(R) Xeon(R) Platinum 8124M CPU @ 3.00GHz)<br> NIC: <br> ethtool -l ens5<br> Channel parameters for ens5:<br> Pre-set maximums:<br> RX: 8<br> TX: 8<br> Other: 0<br> Combined: 0<br> Current hardware settings:<br> RX: 8<br> TX: 8<br> Other: 0<br> Combined: 0<br><br> ethtool -i ens5<br> driver: ena<br> version: 2.0.3K<br> firmware-version:<br> expansion-rom-version:<br> bus-info: 0000:00:05.0<br> supports-statistics: yes<br> supports-test: no<br> supports-eeprom-access: no<br> supports-register-dump: no<br> supports-priv-flags: no<br><br> Suricata Version: 5.0.0-dev (3a912446a 2019-07-22)<br> Suricata Config:<br> af-packet:<br> - interface: ens5<br> threads: 14<br> cluster-id: 99<br> cluster-type: cluster_flow<br> defrag: yes # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.<br> use-mmap: yes<br> mmap-locked: yes<br> tpacket-v3: yes<br> ring-size: 400000<br> block-size: 393216<br> #block-timeout: 10<br> #use-emergency-flush: yes<br> # buffer-size: 32768<br> # disable-promisc: no<br> #checksum-checks: kernel<br> #bpf-filter: port 80 or udp<br> #copy-mode: ips<br> #copy-iface: eth1<br><br> - interface: default<br> threads: auto<br> use-mmap: yes<br> tpacket-v3: yes<br><br> max-pending-packets: 1024<br> runmode: workers<br> default-packet-size: 1522<br><br> defrag:<br> memcap: 4gb<br> hash-size: 65536<br> trackers: 65535 # number of defragmented flows to follow<br> max-frags: 65535 # number of fragments to keep (higher than trackers)<br> prealloc: yes<br> timeout: 60<br><br> flow:<br> memcap: 4gb<br> hash-size: 1048576<br> prealloc: 1048576<br> emergency-recovery: 30<br><br> stream:<br> memcap: 4gb<br> checksum-validation: no<br> inline: no<br> bypass: yes<br> reassembly:<br> memcap: 8gb<br> depth: 1mb<br> toserver-chunk-size: 2560<br> toclient-chunk-size: 2560<br> randomize-chunk-size: yes<br><br><br> detect:<br> profile: custom<br> custom-values:<br> toclient-groups: 200<br> toserver-groups: 200<br> sgh-mpm-context: auto<br> inspection-recursion-limit: 3000<br><br> mpm-algo: hs<br> spm-algo: hs<br><br> threading:<br> set-cpu-affinity: yes<br> cpu-affinity:<br> - management-cpu-set:<br> cpu: [ "0-1" ]<br> mode: "balanced"<br> prio:<br> default: "medium"<br> - worker-cpu-set:<br> cpu: [ "2-15" ]<br> mode: "exclusive"<br> prio:<br> default: "high"<br></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>