[Oisf-users] TCP reassembly gaps

[Chris Wakelin]

On 21/04/12 13:02, Seth Hall wrote:
> 
> On Apr 21, 2012, at 6:19 AM, Chris Wakelin wrote:
> 
>> The other odd thing of course is that the switch is VLAN-tagging
>> packets in one direction only, which might be confusing things.
> 
> 
> I would kind of expect RSS to get messed up with the VLAN tagged
> packets in one direction.  Have you tried disabling that?

Yes, just tried it again to be sure. It seems to make no difference at
all, which might mean RSS isn't actually helping in any case.

The number of gaps does vary with the traffic load. Our students are
back now and using their full 800Mb in the evenings. PF_RING is happily
reporting no lost packets though.

I'm still guessing this is an issue with PF_RING rather than the machine
being unable to cope with the traffic. I might try updating to the
latest SVN (there's fixes for locking apparently).

> 
> For Bro we have a script that does the gap counting and reporting in
> production.  It's the same technique that wireshark uses for it's gap
> reporting, but you can run it all the time on live traffic with Bro.
> The script is named "misc/capture-loss" and I can help you out with
> it if you're interested.

I might have a look; it's probably a quicker way to see the problem than
getting a tcpdump and running Suricata or wireshark on it!

> 
> .Seth
> 

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094