[Oisf-users] Just what does "capture.kernel_drops" count?

Peter Manev petermanev at gmail.com
Wed Aug 20 07:27:58 UTC 2014 

On Tue, Aug 19, 2014 at 10:43 PM, Russell Fulton
<r.fulton at auckland.ac.nz> wrote:
>
> On 19/08/2014, at 9:56 pm, Peter Manev <petermanev at gmail.com> wrote:
>
> On Tue, Aug 19, 2014 at 3:12 AM, Russell Fulton <r.fulton at auckland.ac.nz>
> wrote:
>
> Hi
>
> I am using pfring and suri together and I am seeing significant number
> (~50%) of capture.kernel_drops at peak times.
>
> capture.kernel_packets    | RxPFReth31                | 2404928581
> capture.kernel_drops      | RxPFReth31                | 1434169109
>
> *stats over 10 minutes)
>
> according to our cpacket switch interface is seeing about 2.5Gbps and 360K
> pps.
>
> This sensor is also running bro which I may well have to drop.
>
> Russell
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>
>
> Hi,
>
> I think you might need to do some tuning.
> What does your memcaps and timeouts look like in suricata.yaml.
>
>
>
> flow:
>   memcap: 128mb
>   hash-size: 65536
>   prealloc: 10000
>   emergency-recovery: 30
> flow-timeouts:
>
>   default:
>     new: 30
>     established: 300
>     closed: 0
>     emergency-new: 10
>     emergency-established: 100
>     emergency-closed: 0
>   tcp:
>     new: 60
>     established: 3600
>     closed: 120
>     emergency-new: 10
>     emergency-established: 300
>     emergency-closed: 20
>   udp:
>     new: 30
>     established: 300
>     emergency-new: 10
>     emergency-established: 100
>   icmp:
>     new: 30
>     established: 300
>     emergency-new: 10
>     emergency-established: 100
> stream:
>   memcap: 32mb
>   checksum-validation: yes      # reject wrong csums
>   inline: no                    # no inline mode
>   reassembly:
>     memcap: 64mb
>     depth: 1mb                  # reassemble 1mb into a stream
>     toserver-chunk-size: 2560
>     toclient-chunk-size: 2560
>
> # Host table:
> #
> # Host table is used by tagging and per host thresholding subsystems.
> #
> host:
>   hash-size: 4096
>   prealloc: 1000
>   memcap: 16777216
>
>
> What are your buffers for pf_ring? Which pf_ring version are you running?
>
>
> not sure how i find this out?  I am using pfring from the SO distribution
>
> How many pps do you have?
>
>
> order of 350Kpps
>
>

Yeah - I think we need some tuning :) (since these are the default
settings in suricata.yaml from what i see)

And what is your HW? (CPU,RAM,NIC)?

thanks

-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list