[Oisf-users] Packets stucked in Nfqueue when running inline
Eric Leblond
eric at regit.org
Mon Jun 20 17:46:24 EDT 2011
Hello,
Le lundi 20 juin 2011 à 12:34 -0500, Fernando Ortiz a écrit :
> Hello, I am running suricata 1.1beta2 (rev ) inline with this command:
>
>
> suricata -c /etc/suricata/suricata.yaml -q1 -q2 -D
>
> Everything seems to work just fine, but when I check nfnetlink_queue,
> i see there are some packets in queue waiting for verdict.
>
>
> @ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue
>
> 1 10893 555 2 65535 0 0 169915460 1
> 2 -4282 552 2 65535 0 0 169915475 1
>
>
> This happens most at night. Traffic is around 15 Mb/s with pikes at 20
> Mb/s. The packets stucked are a few compared with the total number of
> packets processed by Suricata. No problems reported by anyone in the
> network.
I've rarely looked at this proc file when using nfnetlink_queue. I sadly
can not tell if it is frequent.
What I can tell, is that suricata did not reach an nfnetlink overrun (it
should have restarted the packet counter). Suricata does sequential
reading and thus this is not a read problem (people are not
complaining). One of the possibility is that some packets remained
blocked in suricata.
I see one possiblity to check this :
* Flush iptables rules (to block the packet counter in /proc)
* Wait a few seconds for delivery of all packets
* Get the number of packets queued from /proc (equal to last
number before 1 in the proc file)
* Stop suricata
* Retrieve NFQ packets statistics in the log output (Pkts accepted
%"PRIu32", dropped %"PRIu32", replaced %"PRIu32)
With that we will be able to compare the number of queued packets to the
number packet received and answer by suricata. If suricata has not seen
the 555 packets queued, there is a problem before reaching suricata.
> If I bypassed Suricata (iptables -F) packets are still there until I
> kill suricata process.
This part is normal, the packet are in a waiting stage and are freed
when the listening process terminate (queue flush). Iptables can not be
used to clear these packets.
BR,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
Url : http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110620/ba4b2133/attachment.bin
More information about the Oisf-users
mailing list