[Oisf-users] Oisf-users Digest, Vol 14, Issue 2

David Rodrigues david.network.security at gmail.com
Mon Jan 10 14:53:57 UTC 2011


Thanks Victor. I will try all that.

But as Dave pointed out, (now that I understand the output) I think even
these statics (pcap) are not reliable. I'm trying Suricata in a network with
a packet rate > 100.000 packets/second (~1 Gbps). More than 300.000
packets/second in peak hours (~3 Gbps) (normal days). And the amount of
packets analyzed by Suricata (and the statistics given by pcap) is very
small compared to these numbers. I'll maybe have to move to PF_RING.

Is there anyone with this network configuration who manage to analyze
everything with pcap?

David

On Mon, Jan 10, 2011 at 10:17 AM, Victor Julien <victor at inliniac.net> wrote:

> On 01/06/2011 09:49 AM, David Rodrigues wrote:
> > Thanks Dave for the explanation. I'll definitively give pf_ring a try.
> > However, now that I'm looking more carefully to the output, I see that
> > the two lines show different results:
> >
> > [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:429) <Info>
> > (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 24902042, bytes
> > 14643147733
> > [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:437) <Info>
> > (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:117734236
> > Recv:71318162 Drop:46416074 (39.4%).
> >
> > In the first line, the number of received/total(?) packets is 24902042.
> > In the second line the number of packets(?) is completely different:
> > 117734236 total and 71318162 received.
> >
> > Looking into the code, the first line came from tv (ThreadVars) while
> > the second line came from data (PcapThreadVars). However I don't
> > understand what is the difference between them.
>
> Not completely. The first line was from the threads internal accounting.
> It contains the number of packets that Suricata actually read to be
> processed.
>
> The second line contains stats that come from the pcap interface. So
> thats not a number Suricata keeps.
>
>
> Have you tried increasing the pcap buffer size with the
> --pcap-buffer-size commandline option?
>
> And have you tried increasing the max-pending-packets setting in
> suricata.yaml?
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110110/a3106364/attachment-0002.html>


More information about the Oisf-users mailing list