[Oisf-users] Getting 'nf_queue: full' messages - how to increase ?
Pablo
pablo.rincon.crespo at gmail.com
Thu Aug 26 16:13:38 UTC 2010
I'm not sure, but maybe it's related to the value at "
/proc/sys/net/nf_conntrack_max " or " /proc/sys/net/netfilter/nf_
conntrack_buckets "
You can increase this values with for example
echo "123456" > /proc/sys/net/nf_conntrack_max
If not, maybe you can try to search that limit value of 200 with..
find /proc/sys/net/ -name "*conntrack*" -exec echo {} \; -exec grep 200 {}
\;
Anyway, 200 entries by default seems to be a low value.
You may also want to enable/increase the value of max-pending-packets at
suricata.yaml
Let us know if you find out a solution.
Best regards,
--
Pablo Rincón Crespo
Security researcher and developer
Open Information Security Foundation ( http://www.openinfosecfoundation.org)
2010/8/26 Morgan Cox <morgancoxuk at gmail.com>
> Hi.
>
> I am running suricata on Ubuntu10.04.
>
> I am getting the following messages occasionally
>
> [ 4156.985131] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 1
>
> [ 4156.985234] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 2
>
> [ 4156.985357] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 3
>
> [ 4156.985481] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 4
>
> [ 4156.985603] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 5
>
> [ 4156.985664] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 6
>
> [ 4156.985788] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 7
>
> [ 4156.985910] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 8
>
> [ 4156.986033] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 9
>
> [ 4156.986157] nf_queue: full at 200 entries, dropping packets(s). Dropped:
> 10
>
> Is there a way to increase the queue size ?
>
> Cheers
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100826/162c16d6/attachment-0002.html>
More information about the Oisf-users
mailing list