[Oisf-users] Packet drops on core 0 when file extraction is enabled?
Cooper F. Nelson
cnelson at ucsd.edu
Fri Jan 31 14:43:22 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 1/31/2014 1:08 AM, Eric Leblond wrote:
>
> Intel card with ixgbe driver are using RSS queue 0 to send most crap
> packets. For example, UDP are sent to RSS 0 by default if you did not do
> sudo ethtool -n eth3 rx-flow-hash udp4
> It is also sending to queue 0 all packets that can not be load balanced
> via the embedded hash function. For example, IPv6 fragmented packet fall
> into that category.
>
> So core 0 receives the bad traffic and that could explain why it has
> more drop.
>
Ok that explains much; we have a very noisy network, including
backscatter to an entire /8!
I'm explicitly monitoring only our IPv4 networks via a bpf filter, but I
admit I don't really understand where the packets are actually getting
filtered. I can imagine that if all the 'crap' packets are getting
copied to the kernel RSS queue 0 before getting dropped that it could
cause performance issues. Regardless of whether or not suricata is
actually tracking them.
Based on that advice I configured suri to run 15 threads and only use
cores 1-15 for all tasks. We'll see how that performs under peak load
today.
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJS67aKAAoJEKIFRYQsa8FWNHgH/3RVqZkY57pxRpUdAeES1VgR
2B8PW3+tJkSWda8GNcJif3rGJMDKOww54VrDDELx+eDUEfUomKOI6I18QHajIqDo
YFxlElJ0wiUr5u60NOHLwaCppo+J9Qa12HfHNkvbjGl2SpL4B9ngQ/z9YUiubXYP
ahaeqUrF6IbQMls5PiVT9yKLANhDjnM9jtlHUasYqfZT70kSzrdbGguBemXJb9yl
SH5KbpVVjwYXthB9O8XgX7RL7/0AlCCYQjwIMcrXQZh/GWEh/Od0EgWlrrFBYAGp
pOtVGl/hdoEVFW1fWguqV61BS4NlJAOmGwlUJcEBNpcYBUGfQj+AtCws3QVuF3s=
=IUro
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list