[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?
Peter Manev
petermanev at gmail.com
Tue Jul 9 07:17:47 UTC 2013
On Tue, Jul 9, 2013 at 6:22 AM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
> On Tue, Jul 9, 2013 at 9:33 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 7/8/2013 8:51 PM, Anoop Saldanha wrote:
>>> Cooper,
>>>
>>> 1. Can you reproduce this with every run?
>>
>> Yes.
>>
>>> 2. Have you enabled the dns parser in the yaml?
>>
>> No.
>>
>>> 3. Are event rules present in your loaded ruleset?
>>
>> No.
>>
>>> 4. If (1) is true, can you locate the offending commit?
>>
>> Unfortunately, no. I think it was during the week prior to June 21st,
>> as I went on vacation that day and reverted back to the stable release
>> to address the issue.
>>
>>> Possible to get a pcap(privately if you want) for this?
>>
>> That would be difficult. It's a production 10Gb system and it happens
>> regardless of traffic after a period of time. I followed this guide
>> almost exactly:
>>
>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>>
Did this just happen after a reboot ? And/or kernel upgrade? Just
making sure that the network card drivers are the latest and
installed.
Do you eventually run out of memory?
Something similar happened to our testing machine but htere we fixed
it with loading the latest kernel drivers for the network card and
doing a
" /etc/init.d/irqbalance restart "
and load balancing the UDP flow again -
"
ethtool -n eth3 rx-flow-hash udp4
ethtool -g eth3
cat /proc/interrupts
"
on Ubuntu LTS - 3.2 kernel
Thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list