[Oisf-users] Receive rate dropped

Jose Vila jovimon at gmail.com
Wed Dec 17 17:25:26 UTC 2014 

Hello Giuseppe,

Thank you very much for your help.

My PF_RING info:
# cat /proc/net/pf_ring/info
PF_RING Version          : 6.0.3 ($Revision: 8707$)
Total rings              : 0

Standard (non DNA/ZC) Options
Ring slots               : 4096
Slot version             : 16
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

I just made the changes you commented, and had some issues:

With 64k slots in pf_ring suricata doesn't start, and suricata.log shows
errors not finding pf_ring.

I've done some testing and found an acceptable value at 32767 for both
pf_ring ring slots and default-packet-size (bigger values make my system
unstable, I even had to restart twice).

I'm leaving it and see how it behaves tomorrow at peak time.

Just a couple questions:

* Both values (ring slots and packet size) must be the same?

* Which is the max packet size pf_ring is going to pass to Suricata?

* Why was I experiencing this issue? Were the 4k queues flooded and the
contents overwritten before they were processed, causing packet and alert
loss even without any drop being detected?

* Is there any document where you can "see" how this values impact in RAM
usage?

Regards,

Jose Vila.


On Wed, Dec 17, 2014 at 2:33 PM, Giuseppe Longo <giuseppelng at gmail.com>
wrote:
>
> Hi Jose,
> You may need to tune your configuration.
>
> Let's start from PF_RING:
> # cat /proc/net/pf_ring/info
>
> If the ring slot value is 4096, try to increase it:
> rmmod pf_ring
> modprobe pf_ring transparent_mode=0 min_num_slots=65534
>
> Then adjust the default-packet-size value in suricata.yaml:
> default-packet-size: 65535
>
>
> Cheers,
> Giuseppe
>
> 2014-12-17 12:47 GMT+01:00 Jose Vila <jovimon at gmail.com>:
> > Hello,
> >
> > I just updated to Suricata 2.0.3 and PF_RING 6.0.3 from SVN, and this
> > behaviour still persists.
> >
> > Can someone help?
> >
> > Thanks.
> >
> > On Tue, Dec 16, 2014 at 10:28 AM, Jose Vila <jovimon at gmail.com> wrote:
> >>
> >> Hello list,
> >>
> >> I'm moving from snort to Suricata, and I'm getting some problems.
> >>
> >> Before I had Snort 2.9.3.1 w/PF_RING 5.5.0, and had to pass parameter
> >> "--daq-var no-kernel-filters=1" to Snort because the packet receive
> rate was
> >> slowly decreasing to the point of only 1/10 of the traffic being
> processed
> >> by Snort.
> >>
> >> Now with Suricata 2.0.3 and PF_RING 5.5.0 i'm seeing the same behaviour
> >> ...
> >>
> >> If I count lines of log written to eve.json as Peter Manev does (see
> [1]),
> >> at suricata's start i get 2K-5K logs per second, but after a couple of
> days
> >> I only get 5-20 entries per second. Also, drop counters in stats.log
> turned
> >> from less than 0.1% to around 10%.
> >>
> >> Is there a way to pass this variable (no-kernel-filters) to PF_RING
> >> through Suricata?
> >>
> >> Thanks,
> >>
> >> Jose Vila.
> >>
> >> [1]
> >>
> http://pevma.blogspot.com.es/2014/05/logs-per-second-on-evejson-good-and-bad.html
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141217/e1f7c3b8/attachment-0002.html>

More information about the Oisf-users mailing list