[Oisf-users] Oisf-users Digest, Vol 14, Issue 2
Josh
josh at securemind.org
Tue Jan 11 18:46:47 UTC 2011
David,
Our peak internal traffic (~2.5Gbps) runs constant for a few hours a day and we
handle it fine without dropping any packets. We however have a really specific
set of rules defined and we are using PF_Ring. Does the job fine on a quad-core
with 16GB of RAM. The box is around 25% loaded during peak times.
Josh
On Monday, January 10, 2011 09:53:57 am David Rodrigues wrote:
> Thanks Victor. I will try all that.
>
> But as Dave pointed out, (now that I understand the output) I think even
> these statics (pcap) are not reliable. I'm trying Suricata in a network
> with a packet rate > 100.000 packets/second (~1 Gbps). More than 300.000
> packets/second in peak hours (~3 Gbps) (normal days). And the amount of
> packets analyzed by Suricata (and the statistics given by pcap) is very
> small compared to these numbers. I'll maybe have to move to PF_RING.
>
> Is there anyone with this network configuration who manage to analyze
> everything with pcap?
>
> David
>
> On Mon, Jan 10, 2011 at 10:17 AM, Victor Julien <victor at inliniac.net> wrote:
> > On 01/06/2011 09:49 AM, David Rodrigues wrote:
> > > Thanks Dave for the explanation. I'll definitively give pf_ring a try.
> > > However, now that I'm looking more carefully to the output, I see that
> > > the two lines show different results:
> > >
> > > [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:429) <Info>
> > > (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 24902042, bytes
> > > 14643147733
> > > [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:437) <Info>
> > > (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:117734236
> > > Recv:71318162 Drop:46416074 (39.4%).
> > >
> > > In the first line, the number of received/total(?) packets is 24902042.
> > > In the second line the number of packets(?) is completely different:
> > > 117734236 total and 71318162 received.
> > >
> > > Looking into the code, the first line came from tv (ThreadVars) while
> > > the second line came from data (PcapThreadVars). However I don't
> > > understand what is the difference between them.
> >
> > Not completely. The first line was from the threads internal accounting.
> > It contains the number of packets that Suricata actually read to be
> > processed.
> >
> > The second line contains stats that come from the pcap interface. So
> > thats not a number Suricata keeps.
> >
> >
> > Have you tried increasing the pcap buffer size with the
> > --pcap-buffer-size commandline option?
> >
> > And have you tried increasing the max-pending-packets setting in
> > suricata.yaml?
> >
> > Cheers,
> > Victor
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list