[Oisf-devel] 77b708=WIN?

Martin Holste mcholste at gmail.com
Tue Sep 27 18:14:15 UTC 2011


Chris, how much ram do you have?  I've gotten awesome performance now
that I did ac full (which takes a ton of ram) and upped the pending
packets to 5k.

On Tue, Sep 27, 2011 at 12:33 PM, Chris Wakelin
<c.d.wakelin at reading.ac.uk> wrote:
> On 27/09/11 15:33, Chris Wakelin wrote:
>> I've just upgraded my campus network monitor to latest SVN
>> (6bad2dbd7964a2e465ff4829022acf1e6c34062d) and PF_RING 5.1.0 (non-DNA).
>>
>> I've applied two patches, my extended HTTP log one and Will's PF_RING
>> "single" runmode (included in part of Bug 315) but with the same changes
>> Anoop included in a844eecb0e115758eb87d515d37b9fcd877d2fec
>>
>> I'm running with 6 threads and --runmode=single.
>>
>
> I've found it's missing alerts in PF_RING but not pcap (suricata -r)
> mode again :(
>
> I've tried all three PF_RING runmodes, single, autofp and auto. The pcap
> is a download of a "Possible Windows executable sent ASCII-hex-encoded"
> file (ET rule 2012804). My pcaps of various Blackhole javascript
> requests seem to work, though.
>
> As far as I can see Eric's fix in Bug 315 should be equivalent to Will's
> (https://redmine.openinfosecfoundation.org/issues/315) apart from a
> change in the stats output.
>
> (I'm actually using a script around
>
> cat /proc/net/pf_ring/*-eth1.* |
> gawk -F": " '/^Appl. Name/{appname=$2}
> /^Tot Packets/&&appname=="Suricata"{pkts+=$2}
> /^Tot Pkt Lost/&&appname=="Suricata"{lost+=$2}
> END{print pkts "," lost}'
>
> for stats; might get around to writing a proper program for this sometime!)
>
> I've got "default-packet-size: 1522" but increasing it to 1530 makes no
> difference.
>
> Any ideas?
>
> Best Wishes
> Chris
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



More information about the Oisf-devel mailing list