[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

Cooper F. Nelson cnelson at ucsd.edu
Tue Jul 9 19:49:18 UTC 2013

Hash: SHA1

On 7/9/2013 12:17 AM, Peter Manev wrote:
> Did this just happen after a reboot ? And/or kernel upgrade? Just
> making sure that the network card drivers are the latest and
> installed.

This is a gentoo box that has been up for a couple months.  I tried
updating the driver yesterday after rebooting, the kernel today and have
reverted all local settings/optimizations to the OISF defaults as
recommend for a 10Gb system.

Under this configuration it definitely runs better (the load average
stays under 10), but a few threads still end up wedging after about
20million packets each.  Over time the rest of the threads also
eventually exhibit the same behavior.

> Do you eventually run out of memory?

I haven't yet, but I can see the memory usage slowly increasing.  I have
48 gigs on this system so it would take awhile for it to run out.

I have noticed that I've started getting these errors in the
suricata.log file.  Is this the new 'dns parsers' feature?  Is there a
way to disable it to see if that's where the memory leak is?

> [21615] 9/7/2013 -- 19:38:31 - (app-layer-dns-common.c:420) <Info> (DNSResponseGetNameByOffset) -- input buffer too small for domain of len 192

> Something similar happened to our testing machine but htere we fixed
> it with loading the latest kernel drivers for the network card and
> doing a
> " /etc/init.d/irqbalance restart "
> and load balancing the UDP flow again -
> "
> ethtool -n eth3 rx-flow-hash udp4
> ethtool -g eth3
> cat /proc/interrupts
> "
> on Ubuntu LTS - 3.2 kernel

Question along those lines, what do the suricata devs feel about the
various NIC offloading features re: interaction with suricata?

See: >

I had these features disabled as per this article; but I've re-enabled
them for testing.

- -Coop

> Thanks
> --
> Regards,
> Peter Manev

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list