[Oisf-users] Receive rate dropped
Giuseppe Longo
giuseppelng at gmail.com
Wed Dec 17 13:33:16 UTC 2014
Hi Jose,
You may need to tune your configuration.
Let's start from PF_RING:
# cat /proc/net/pf_ring/info
If the ring slot value is 4096, try to increase it:
rmmod pf_ring
modprobe pf_ring transparent_mode=0 min_num_slots=65534
Then adjust the default-packet-size value in suricata.yaml:
default-packet-size: 65535
Cheers,
Giuseppe
2014-12-17 12:47 GMT+01:00 Jose Vila <jovimon at gmail.com>:
> Hello,
>
> I just updated to Suricata 2.0.3 and PF_RING 6.0.3 from SVN, and this
> behaviour still persists.
>
> Can someone help?
>
> Thanks.
>
> On Tue, Dec 16, 2014 at 10:28 AM, Jose Vila <jovimon at gmail.com> wrote:
>>
>> Hello list,
>>
>> I'm moving from snort to Suricata, and I'm getting some problems.
>>
>> Before I had Snort 2.9.3.1 w/PF_RING 5.5.0, and had to pass parameter
>> "--daq-var no-kernel-filters=1" to Snort because the packet receive rate was
>> slowly decreasing to the point of only 1/10 of the traffic being processed
>> by Snort.
>>
>> Now with Suricata 2.0.3 and PF_RING 5.5.0 i'm seeing the same behaviour
>> ...
>>
>> If I count lines of log written to eve.json as Peter Manev does (see [1]),
>> at suricata's start i get 2K-5K logs per second, but after a couple of days
>> I only get 5-20 entries per second. Also, drop counters in stats.log turned
>> from less than 0.1% to around 10%.
>>
>> Is there a way to pass this variable (no-kernel-filters) to PF_RING
>> through Suricata?
>>
>> Thanks,
>>
>> Jose Vila.
>>
>> [1]
>> http://pevma.blogspot.com.es/2014/05/logs-per-second-on-evejson-good-and-bad.html
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list