[Oisf-users] Percentage of dropped packets

Martin Holste mcholste at gmail.com
Wed May 30 13:33:58 UTC 2012 

If you're not already using PF_RING, you definitely want to start.
It's quite easy to compile now and is far more tested and better
supported right now than AF_PACKET fanout.  It also has very good
statistics to see what's going on and enhanced drivers.  I have a
howto article listed here
ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html.
Though it's written for Bro, the PF_RING compile steps are the same
for Suricata.

On Wed, May 30, 2012 at 7:52 AM, Dave Remien <dave.remien at gmail.com> wrote:
> The ixgbe large-receive-offload setting should only be turned on when the
> NIC is the endpoint (i.e., in a server say); extra work needs to be done to
> get the content of the packets when you're using the NIC (and machine) in
> bridge/inline mode.  I usually compile the ixgbe driver to turn this setting
> off by default for inline use.
>
> Cheers,
>
> Dave
>
> On Wed, May 30, 2012 at 9:49 AM, Chris Wakelin <c.d.wakelin at reading.ac.uk>
> wrote:
>>
>> On 30/05/12 10:39, Peter Bates wrote:
>> >
>> > Hello again all
>> >
>> > Adding a point to my own reply...
>> >
>> > On 30/05/2012 09:29, Peter Bates wrote:
>> >> When I first had the 10Gb NIC up I was seeing (in ifconfig) rx
>> >> dropped increasing and no rx packets received - and subsequently
>> >> nothing to capture in tcpdump/etc - however as the advice above
>> >> changes all the settings to 'off' I was unsure which one
>> >> actually solved my problem.
>> >
>> > My ixgbe settings are now: Offload parameters for eth6:
>> > rx-checksumming: on tx-checksumming: on scatter-gather: on
>> > tcp-segmentation-offload: on udp-fragmentation-offload: off
>> > generic-segmentation-offload: on generic-receive-offload: on
>> > large-receive-offload: off rx-vlan-offload: off tx-vlan-offload:
>> > off ntuple-filters: off receive-hashing: off
>> >
>> > ... I find when I turn 'large-receive-offload' on then my NIC
>> > stops receiving packets and drops everything.
>> >
>> > I'm receiving traffic from a Cisco SPAN not sure whether it
>> > encapsulates the packets or makes them larger than 1514 hence this
>> > setting disturbing the capture.
>>
>> It might be worth trying a higher MTU, say "ifconfig eth6 mtu 1522".
>> Are there VLAN tags on the port? Our Extreme border switches add VLAN
>> tags to the port mirror in one direction only :-o
>>
>> It might also be worth compiling your own ixgbe driver from
>> http://sourceforge.net/projects/e1000/files/ixgbe%20stable/ or with
>> PF_RING as the one shipped in the 2.6.x kernels seems very old.
>>
>> I'm using PF_RING-enabled ixgbe-3.7.17 (DNA version at the moment) and
>> have left the offload parameters at the defaults:
>>
>> Offload parameters for dna0:
>> rx-checksumming: on
>> tx-checksumming: on
>> scatter-gather: on
>> tcp-segmentation-offload: on
>> udp-fragmentation-offload: off
>> generic-segmentation-offload: on
>> generic-receive-offload: on
>> large-receive-offload: on
>> rx-vlan-offload: off
>> tx-vlan-offload: off
>> ntuple-filters: off
>> receive-hashing: off
>>
>>
>> driver: ixgbe
>> version: 3.7.17-DNA
>> firmware-version: 0x18f60001
>> bus-info: 0000:0c:00.0
>> supports-statistics: yes
>> supports-test: yes
>> supports-eeprom-access: yes
>> supports-register-dump: yes
>> supports-priv-flags: no
>>
>> Best Wishes,
>> Chris
>>
>> --
>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
>> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
>> Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
>
> --
> ".... We are such stuff
> As dreams are made on; and our little life
> Is rounded with a sleep."
> -- Shakespeare, The Tempest - Act 4
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>

More information about the Oisf-users mailing list