[Oisf-users] Just what does "capture.kernel_drops" count?

Russell Fulton r.fulton at auckland.ac.nz
Tue Aug 19 20:43:22 UTC 2014 

On 19/08/2014, at 9:56 pm, Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>> wrote:

On Tue, Aug 19, 2014 at 3:12 AM, Russell Fulton <r.fulton at auckland.ac.nz<mailto:r.fulton at auckland.ac.nz>> wrote:
Hi

I am using pfring and suri together and I am seeing significant number (~50%) of capture.kernel_drops at peak times.

capture.kernel_packets    | RxPFReth31                | 2404928581
capture.kernel_drops      | RxPFReth31                | 1434169109

*stats over 10 minutes)

according to our cpacket switch interface is seeing about 2.5Gbps and 360K pps.

This sensor is also running bro which I may well have to drop.

Russell
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/


Hi,

I think you might need to do some tuning.
What does your memcaps and timeouts look like in suricata.yaml.


flow:
  memcap: 128mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
flow-timeouts:

  default:
    new: 30
    established: 300
    closed: 0
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
  tcp:
    new: 60
    established: 3600
    closed: 120
    emergency-new: 10
    emergency-established: 300
    emergency-closed: 20
  udp:
    new: 30
    established: 300
    emergency-new: 10
    emergency-established: 100
  icmp:
    new: 30
    established: 300
    emergency-new: 10
    emergency-established: 100
stream:
  memcap: 32mb
  checksum-validation: yes      # reject wrong csums
  inline: no                    # no inline mode
  reassembly:
    memcap: 64mb
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560

# Host table:
#
# Host table is used by tagging and per host thresholding subsystems.
#
host:
  hash-size: 4096
  prealloc: 1000
  memcap: 16777216


What are your buffers for pf_ring? Which pf_ring version are you running?

not sure how i find this out?  I am using pfring from the SO distribution

How many pps do you have?

order of 350Kpps



thanks


--
Regards,
Peter Manev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140819/da87dee5/attachment-0002.html>

More information about the Oisf-users mailing list