[Oisf-users] Packet Loss

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some additional tweaks to try:

1.  Set all of your "closed" flow-timeouts to 0.

2.  Set your stream -> depth to 8kb.

If that fixes your performance issues you can try increasing the stream
depths until you find what the limit is for your hardware.

Keep in mind that suricata isn't magic and if you are pushing monster
http flows (like we are) you may need to make some concessions on your
current hardware.  As I mentioned, one approach is to sample traffic via
bpf filters.

- -Coop

On 6/9/2014 8:44 AM, Yasha Zislin wrote:
> I've done some additional testing.
> 
> I've ran pfcount with 16 threads with the same parameters as Suricata does.
> I've had only one instance of /proc/net/pf_ring instantiated but 16
> threads in processes (TOP -H).
> 
> I've been running it for an hour with 0 packet loss. PF_RING slot usage
> does not go above 200 (with 688k total).
> 
> So my packet loss occurs due to Suricata and not network/pf_ring related.
> 
> Thanks.
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTleCdAAoJEKIFRYQsa8FWhooH/3fJVBzitBEqmkAutukzu2V4
4RPdC6glK+XcztPDTwAlLhs0Q9X6x0G2qgAR0qFneKqIRActX9SkmlLQRlXyVmJF
futSpk7TfFNHoyMMaEf2WVw5/X2GQB2PZ713ekBp77CcjxEFqy75o+n7jIMavBmf
VcC2A549fRmG39YQIvzVNmmk9nAu+1hAnOcArNFtKOsFphgjfYUxGSPc5z8rD2Fb
q16grR001BOa/PHU4h0WWObvhhdgNhLfmRqt2EHEhvgM3a9+4T5274zCyz+kvalA
zUmhNVMFwtkWICgC10Ta+eivmxe3RXZR+7PjvIRVp1ancv0QzaeCqaq/bkCxftU=
=cW4q
-----END PGP SIGNATURE-----