[Oisf-users] (no subject)
Peter Manev
petermanev at gmail.com
Thu Jun 12 08:59:48 UTC 2014
On Thu, Jun 12, 2014 at 8:54 AM, Peter Manev <petermanev at gmail.com> wrote:
> On Thu, Jun 12, 2014 at 7:13 AM, X.qing <xqing.summer at gmail.com> wrote:
>> Yes, i have read the article Christophe recommended, all my threads are used
>> and every CPU core is receiving interrupts of the network card but just drop
>> a lot, it seems that my problem is not caused by the lack of NIC queues. no
>> matter what, thank Chritophe very much.
>>
>> what can be inferred from this record?
>> 11/6/2014 -- 16:58:29 - <Info> - Flow emergency mode over, back to
>> normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1402477082,
>> ts.tv_usec:696562) flow_spare_q status(): 70% flows at the queue
>>
>> I did not disable irqbanlance before. i have disabled it and run the
>> suricata for around 50 minutes this morning. here are the latest stats.log
>> and suricata.log.
>>
>> https://drive.google.com/file/d/0B6V3lnZlrEKPM3JSYXpFZU5sTkE/edit?usp=sharing
>> https://drive.google.com/file/d/0B6V3lnZlrEKPVDBRclBrZHB4VkU/edit?usp=sharing
>>
>> thanx again.
>> best wishes.
>>
>>
>
>
> Please use pastebin.com , noone has access to your personal Gdrive
>
>
>
> --
> Regards,
> Peter Manev
Can you try with
vlan tracker disabled in suricata.yaml ?
It looks like you have a lot vlan tags and they might be retagged or
untagged at some point from your mirror device and that will cause
issues during reassembly.
thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list