[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

Victor Julien lists at inliniac.net
Wed Jul 10 21:06:28 UTC 2013

Hash: SHA1

On 07/10/2013 11:00 PM, Cooper F. Nelson wrote:
> I've verified that irqbalance has been restarted and udp is being 
> properly load balanced:
>> sbin # ethtool -n eth2 rx-flow-hash udp4 UDP over IPV4 flows use
>> these fields for computing Hash flow key: IP SA IP DA L4 bytes 0
>> & 1 [TCP/UDP src port] L4 bytes 2 & 3 [TCP/UDP dst port]
> As a test I disabled udp port 53 traffic via a bpf expression.
> This appears to have resolved the issue and I've processed more
> than 100 million packets per CPU without experiencing any locked
> threads.  I have observed cores with an idle time of 0% for a short
> period, but always recovering.
> So, this definitely appears to be a problem with the new DNS
> parser.
> Something interesting about our environment is we have on occasion
> lots of non-DNS traffic over port 53.  As an example, I often see
> bitorrent connections to off-campus hosts over port 53 (I assume to
> get around firewalls on the other end).
> How does the parser handle non-DNS traffic on port 53?  Is it
> possible if it gets too much non-dns traffic in too short a time
> frame on a single thread (like in the bitorrent case) that there
> might be issues?

Are you able to share a capture of that non-dns port 53 traffic?

> Additionally, is there a way to disable the various app-layer
> protocol handlers, either via suricata.yaml or at compile time?  I
> would still like to run the ET DNS sigs on our DNS traffic.

Not yet, but it will be soon, for sure in 2.0final.


> -Coop
> On 7/9/2013 11:46 PM, Peter Manev wrote:
>>> Question along those lines, what do the suricata devs feel
>>> about the various NIC offloading features re: interaction with
>>> suricata?
>> These, I think should be OFF in general. Suricata must be able to
>> see the traffic as it is.
>> Again , if I may, irqbalance and udp balancing are very
>> important.
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

- -- 
- ---------------------------------------------
Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/


More information about the Oisf-users mailing list