[Oisf-users] What does it means??
Shirkdog
shirkdog at gmail.com
Wed Oct 9 12:37:31 UTC 2013
Also the age old questions:
1)amount of traffic
2)hardware with FreeBSD installed.
You can do some sysctl hacks to get more network performance but it is all
for not when you are trying to monitor tons of traffic.
On Oct 9, 2013 8:32 AM, "Victor Julien" <lists at inliniac.net> wrote:
> On 10/09/2013 02:28 PM, C. L. Martinez wrote:
> > Hi all,
> >
> > Recently, I have installed a FreeBSD 9.2 host with suricata 1.4.6 and
> > returns me a lot of packets dropped by kernel:
> >
> > For example after 2 minutes up:
> >
> > Date: 10/9/2013 -- 12:19:50 (uptime: 0d, 00h 02m 58s)
> > -------------------------------------------------------------------
> > Counter | TM Name | Value
> > -------------------------------------------------------------------
> > capture.kernel_packets | RxPcapem41 | 3137698
> > capture.kernel_drops | RxPcapem41 | 2415508
> > capture.kernel_ifdrops | RxPcapem41 | 0
> >
> > But tcp.ssn_memcap_drop and tcp.reassembly_gap:
> >
> > decoder.avg_pkt_size | RxPcapem42 | 828
> > decoder.max_pkt_size | RxPcapem42 | 1514
> > defrag.ipv4.fragments | RxPcapem42 | 90
> > defrag.ipv4.reassembled | RxPcapem42 | 25
> > defrag.ipv4.timeouts | RxPcapem42 | 0
> > defrag.ipv6.fragments | RxPcapem42 | 0
> > defrag.ipv6.reassembled | RxPcapem42 | 0
> > defrag.ipv6.timeouts | RxPcapem42 | 0
> > defrag.max_frag_hits | RxPcapem42 | 0
> > tcp.sessions | RxPcapem42 | 308
> > tcp.ssn_memcap_drop | RxPcapem42 | 0
> > tcp.pseudo | RxPcapem42 | 23
> > tcp.invalid_checksum | RxPcapem42 | 0
> > tcp.no_flow | RxPcapem42 | 0
> > tcp.reused_ssn | RxPcapem42 | 0
> > tcp.memuse | RxPcapem42 | 6029312
> > tcp.syn | RxPcapem42 | 1261
> > tcp.synack | RxPcapem42 | 702
> > tcp.rst | RxPcapem42 | 565
> > tcp.segment_memcap_drop | RxPcapem42 | 0
> > tcp.stream_depth_reached | RxPcapem42 | 0
> > tcp.reassembly_memuse | RxPcapem42 | 11327048
> > tcp.reassembly_gap | RxPcapem42 | 23
>
> tcp.ssn_memcap_drop and tcp.reassembly_gap only related to memcaps, not
> to packet loss.
>
> > I think the problem is with interrupts:
> >
> > interrupt total rate
> > irq1: atkbd0 6 0
> > irq10: em2 em3 2320880 3453
> > irq11: em0 em1 em4+ 1256951 1870
> > cpu0:timer 148773 221
> > cpu1:timer 148310 220
> > Total 3877066 5769
>
> Not sure.
>
> What runmode are you using? Also, whats your max-pending-packets setting?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131009/c33b16ec/attachment-0002.html>
More information about the Oisf-users
mailing list