[Oisf-users] (no subject)
Peter Manev
petermanev at gmail.com
Mon Mar 24 10:35:31 UTC 2014
On Mon, Mar 24, 2014 at 10:50 AM, Travel Factory S.r.l.
<mc8647 at mclink.it> wrote:
>
> After several months I'm back to suricata.
> Please help me understand what is going wrong in my setup.
>
> Server with 16 real cores, 32 gb ram.
> 10 gbit lan card: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network
> Connection (rev 01)
>
> O.S. is ubuntu 12.04. Suricata is the last 1.4. ixgbe driver updated to
> 3.18.7. ethtool to 3.13. Every "offloading" stuff set to off except:
> highdma: on [fixed]
> rx-vlan-filter: on [fixed]
> tx-fcoe-segmentation: on [fixed]
> tx-nocache-copy: on
>
> Interrupts are split among cores; irqbalance stopped.
>
> ifconfig reports:
> RX packets:89109893 errors:0 dropped:13188 overruns:0 frame:0
> with the dropped value constant for a few seconds then raising always by a
> multiple of 4 each second.
>
> When tcpstat reports a load of 120mbit/s (or less) I can succesfully capture
> all the traffic, above that level I start to have incomplete files.
>
> I'm currectly using AF_PACKET, workers runmode, cluster_cpu, with 8 or 16
> thread (with no visible difference).
>
> I'm trying to check if I'm receiving all the packets from the lan side, but
> the lan people tell me it's everything ok on their side...
>
>
> Where can I look for problems ? I spent several days trying to optimize
> everything I could but with no success so far...
You can check stats.log for more clues.
>
> Thanks
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list