[Oisf-users] Issue with file extraction using 'workers' mode with AF_PACKET

Cooper F. Nelson cnelson at ucsd.edu
Mon Oct 21 19:24:38 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There seems to be an issue with threading/load balancing when enabling
file extraction in worker+AF_PACKET mode when using auto-flow-pinning.

It looks like some aspect of the file extraction process is not being
threaded properly and consuming resources on the first core, which in
turn is causing some pretty extreme packet loss for that CPU.

Leaving file extraction/tracking enabled and disabling the file
extraction rules fixes the issue; so this seems to be related to the
'file store' process.  Example of observed packet drops listed below:

> capture.kernel_packets    | AFPacketeth21             | 2298820
> capture.kernel_drops      | AFPacketeth21             | 4404497
> capture.kernel_packets    | AFPacketeth22             | 6452443
> capture.kernel_drops      | AFPacketeth22             | 0
> capture.kernel_packets    | AFPacketeth23             | 6836558
> capture.kernel_drops      | AFPacketeth23             | 0
> capture.kernel_packets    | AFPacketeth24             | 6288139
> capture.kernel_drops      | AFPacketeth24             | 0
> capture.kernel_packets    | AFPacketeth25             | 6103543
> capture.kernel_drops      | AFPacketeth25             | 0
> capture.kernel_packets    | AFPacketeth26             | 6320369
> capture.kernel_drops      | AFPacketeth26             | 0
> capture.kernel_packets    | AFPacketeth27             | 5393245
> capture.kernel_drops      | AFPacketeth27             | 0
> capture.kernel_packets    | AFPacketeth28             | 6102032
> capture.kernel_drops      | AFPacketeth28             | 0
> capture.kernel_packets    | AFPacketeth29             | 6119626
> capture.kernel_drops      | AFPacketeth29             | 0
> capture.kernel_packets    | AFPacketeth210            | 5382988
> capture.kernel_drops      | AFPacketeth210            | 0
> capture.kernel_packets    | AFPacketeth211            | 6148446
> capture.kernel_drops      | AFPacketeth211            | 0
> capture.kernel_packets    | AFPacketeth212            | 5097439
> capture.kernel_drops      | AFPacketeth212            | 0
> capture.kernel_packets    | AFPacketeth213            | 5110970
> capture.kernel_drops      | AFPacketeth213            | 0
> capture.kernel_packets    | AFPacketeth214            | 6597190
> capture.kernel_drops      | AFPacketeth214            | 0
> capture.kernel_packets    | AFPacketeth215            | 5138118
> capture.kernel_drops      | AFPacketeth215            | 0
> capture.kernel_packets    | AFPacketeth216            | 5132507
> capture.kernel_drops      | AFPacketeth216            | 0

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSZX92AAoJEKIFRYQsa8FWp0sIAJ/ytn/vtHqGmF7bR/zqe8Ja
yMYqy3YoXumfs+cwg7tD4VHY5Ja6PUKnlPhO87OiWpBuuQwTv1joJg8h42NrMnOQ
twi6usKkD5KHsHmGqLNX8TW6/m4d8iVNy6gEOezo6izhWCrhP7+cwto8OJglfbhz
c7h4Npdz4A2f87WzVlCyIw+LLruILH/cBNtrLBD/FSIB3lrlL/WWhKg2Nyuks4ch
d3z43/FcWpeD08MqFoLLzOXOcrUGtvHYl8nxRbvcTWKvRZSzGLlllOayjUu43lo3
8RBUe/3dCMEpAT4ZMNGmyfpfFZ9YYGb3uRmIWCLpZth/DjQXIJ1vXdHXkvQLRpc=
=+QPm
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list