[Oisf-users] tuning
Peter Manev
petermanev at gmail.com
Thu Jun 12 16:56:23 UTC 2014
On Thu, Jun 12, 2014 at 11:41 AM, X.qing <xqing.summer at gmail.com> wrote:
> OK, i get it.
> The latest stats.log http://pastebin.com/P81PKgFf after i diabled
> vlan tracking.
What is the output of
ethtool -n eth3 rx-flow-hash udp6
ethtool -n eth3 rx-flow-hash udp4
Disable those:
midstream: true
asyn-oneside: true
to
midstream: false
asyn-oneside: false
What is the output of the first 5 lines of :
tcpstat -i eth3 -o "Time:%S\tn=%n\tavg=%a\tstddev=%d\tbps=%b\n" 1
Try those settings for flow in suricata.yaml:
flow:
memcap: 4gb
hash-size: 15728640
prealloc: 8000000
emergency-recovery: 30
What is the output of :
ethtool -g eth3
Make sure you use 16 threads in af packet
and you have cluster-type: cluster_cpu
Change to:
http:
enabled: yes
memcap: 4gb
also
dns:
# memcaps. Globally and per flow/state.
global-memcap: 4gb
state-memcap: 512kb
I see that the majority of the packets are 240-250 byte size ... Just
curious - what would be the reason for that?
Thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list