[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?
Victor Julien
lists at inliniac.net
Wed Jul 10 17:06:28 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/10/2013 11:00 PM, Cooper F. Nelson wrote:
> I've verified that irqbalance has been restarted and udp is being
> properly load balanced:
>
>> sbin # ethtool -n eth2 rx-flow-hash udp4 UDP over IPV4 flows use
>> these fields for computing Hash flow key: IP SA IP DA L4 bytes 0
>> & 1 [TCP/UDP src port] L4 bytes 2 & 3 [TCP/UDP dst port]
>
> As a test I disabled udp port 53 traffic via a bpf expression.
> This appears to have resolved the issue and I've processed more
> than 100 million packets per CPU without experiencing any locked
> threads. I have observed cores with an idle time of 0% for a short
> period, but always recovering.
>
> So, this definitely appears to be a problem with the new DNS
> parser.
>
> Something interesting about our environment is we have on occasion
> lots of non-DNS traffic over port 53. As an example, I often see
> bitorrent connections to off-campus hosts over port 53 (I assume to
> get around firewalls on the other end).
>
> How does the parser handle non-DNS traffic on port 53? Is it
> possible if it gets too much non-dns traffic in too short a time
> frame on a single thread (like in the bitorrent case) that there
> might be issues?
Are you able to share a capture of that non-dns port 53 traffic?
> Additionally, is there a way to disable the various app-layer
> protocol handlers, either via suricata.yaml or at compile time? I
> would still like to run the ET DNS sigs on our DNS traffic.
Not yet, but it will be soon, for sure in 2.0final.
Cheers,
Victor
> -Coop
>
> On 7/9/2013 11:46 PM, Peter Manev wrote:
>>>
>>> Question along those lines, what do the suricata devs feel
>>> about the various NIC offloading features re: interaction with
>>> suricata?
>
>> These, I think should be OFF in general. Suricata must be able to
>> see the traffic as it is.
>
>> Again , if I may, irqbalance and udp balancing are very
>> important.
>
>
>
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
OISF: http://www.openinfosecfoundation.org/
>
- --
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlHdzM8ACgkQiSMBBAuniMclvQCfcFwyR7Hp1mGCHZ4hPkIn0j49
cBUAnR0NYa0Ai31hs7nTu5R7fvkjs93Q
=upyh
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list