[Oisf-users] Oisf-users Digest, Vol 14, Issue 2
David Rodrigues
david.network.security at gmail.com
Thu Jan 13 14:48:51 UTC 2011
Thanks Josh. I'm going to try PF_Ring. I'm a bit afraid about the number of
rules tho...
David
2011/1/11 Josh <josh at securemind.org>
> David,
>
> Our peak internal traffic (~2.5Gbps) runs constant for a few hours a day
> and we
> handle it fine without dropping any packets. We however have a really
> specific
> set of rules defined and we are using PF_Ring. Does the job fine on a
> quad-core
> with 16GB of RAM. The box is around 25% loaded during peak times.
>
> Josh
>
>
> On Monday, January 10, 2011 09:53:57 am David Rodrigues wrote:
> > Thanks Victor. I will try all that.
> >
> > But as Dave pointed out, (now that I understand the output) I think even
> > these statics (pcap) are not reliable. I'm trying Suricata in a network
> > with a packet rate > 100.000 packets/second (~1 Gbps). More than 300.000
> > packets/second in peak hours (~3 Gbps) (normal days). And the amount of
> > packets analyzed by Suricata (and the statistics given by pcap) is very
> > small compared to these numbers. I'll maybe have to move to PF_RING.
> >
> > Is there anyone with this network configuration who manage to analyze
> > everything with pcap?
> >
> > David
> >
> > On Mon, Jan 10, 2011 at 10:17 AM, Victor Julien <victor at inliniac.net>
> wrote:
> > > On 01/06/2011 09:49 AM, David Rodrigues wrote:
> > > > Thanks Dave for the explanation. I'll definitively give pf_ring a
> try.
> > > > However, now that I'm looking more carefully to the output, I see
> that
> > > > the two lines show different results:
> > > >
> > > > [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:429) <Info>
> > > > (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 24902042, bytes
> > > > 14643147733
> > > > [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:437) <Info>
> > > > (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:117734236
> > > > Recv:71318162 Drop:46416074 (39.4%).
> > > >
> > > > In the first line, the number of received/total(?) packets is
> 24902042.
> > > > In the second line the number of packets(?) is completely different:
> > > > 117734236 total and 71318162 received.
> > > >
> > > > Looking into the code, the first line came from tv (ThreadVars) while
> > > > the second line came from data (PcapThreadVars). However I don't
> > > > understand what is the difference between them.
> > >
> > > Not completely. The first line was from the threads internal
> accounting.
> > > It contains the number of packets that Suricata actually read to be
> > > processed.
> > >
> > > The second line contains stats that come from the pcap interface. So
> > > thats not a number Suricata keeps.
> > >
> > >
> > > Have you tried increasing the pcap buffer size with the
> > > --pcap-buffer-size commandline option?
> > >
> > > And have you tried increasing the max-pending-packets setting in
> > > suricata.yaml?
> > >
> > > Cheers,
> > > Victor
> > >
> > > --
> > > ---------------------------------------------
> > > Victor Julien
> > > http://www.inliniac.net/
> > > PGP: http://www.inliniac.net/victorjulien.asc
> > > ---------------------------------------------
> > >
> > > _______________________________________________
> > > Oisf-users mailing list
> > > Oisf-users at openinfosecfoundation.org
> > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110113/137abb27/attachment-0002.html>
More information about the Oisf-users
mailing list