[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

Leonard Jacobs ljacobs at netsecuris.com
Wed Jul 10 09:51:09 UTC 2013

We actually had problems with offloading enabled.  We had our SSL VPN have issues such as slowness when offloading enabled on our Suricata system while af-packer IPS turned on.  As soon as we disabled network interface offloading, the problem disappeared.

-----Original Message-----
From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Peter Manev
Sent: Wednesday, July 10, 2013 1:47 AM
To: Cooper F. Nelson
Cc: oisf-users
Subject: Re: [Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

>> Something similar happened to our testing machine but htere we fixed 
>> it with loading the latest kernel drivers for the network card and 
>> doing a " /etc/init.d/irqbalance restart "
>> and load balancing the UDP flow again - "
>> ethtool -n eth3 rx-flow-hash udp4
>> ethtool -g eth3
>> cat /proc/interrupts
>> "
>> on Ubuntu LTS - 3.2 kernel
> Question along those lines, what do the suricata devs feel about the 
> various NIC offloading features re: interaction with suricata?

These, I think should be OFF in general. Suricata must be able to see the traffic as it is.

Again , if I may, irqbalance and udp balancing are very important.

> See: >
> http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-
> not-full.html
> I had these features disabled as per this article; but I've re-enabled 
> them for testing.
> - -Coop

Peter Manev
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list