[Oisf-users] Just what does "capture.kernel_drops" count?
Peter Manev
petermanev at gmail.com
Tue Aug 19 09:56:24 UTC 2014
On Tue, Aug 19, 2014 at 3:12 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Hi
>
> I am using pfring and suri together and I am seeing significant number (~50%) of capture.kernel_drops at peak times.
>
> capture.kernel_packets | RxPFReth31 | 2404928581
> capture.kernel_drops | RxPFReth31 | 1434169109
>
> *stats over 10 minutes)
>
> according to our cpacket switch interface is seeing about 2.5Gbps and 360K pps.
>
> This sensor is also running bro which I may well have to drop.
>
> Russell
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
Hi,
I think you might need to do some tuning.
What does your memcaps and timeouts look like in suricata.yaml.
What are your buffers for pf_ring? Which pf_ring version are you running?
How many pps do you have?
thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list