[Oisf-users] (no subject)

Cooper F. Nelson cnelson at ucsd.edu
Mon Mar 24 12:53:50 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As Peter said, not sure what problem you are trying to solve?  I've
copied my running stats below, some packet drops are expected and as
long as its under 1% it should be considered normal.  Also note that I'm
running some extremely aggressive bpf filters to sample traffic and
filter out top-talkers (like akamai and netflix).

And again, try setting "buffer-size: 0" under af-packet: config to
disable socket buffers when using AF_PACKET + mmap mode.

> capture.kernel_packets    | AFPacketeth28             | 560946126
> capture.kernel_drops      | AFPacketeth28             | 2873336
> dns.memuse                | AFPacketeth28             | 16816141
> dns.memcap_state          | AFPacketeth28             | 457775
> dns.memcap_global         | AFPacketeth28             | 261391854
> decoder.pkts              | AFPacketeth28             | 558043372
> decoder.bytes             | AFPacketeth28             | 237249909848
> decoder.invalid           | AFPacketeth28             | 328
> decoder.ipv4              | AFPacketeth28             | 559759992
> decoder.ipv6              | AFPacketeth28             | 69870
> decoder.ethernet          | AFPacketeth28             | 558043372
> decoder.raw               | AFPacketeth28             | 0
> decoder.sll               | AFPacketeth28             | 0
> decoder.tcp               | AFPacketeth28             | 537564165
> decoder.udp               | AFPacketeth28             | 16458428
> decoder.sctp              | AFPacketeth28             | 0
> decoder.icmpv4            | AFPacketeth28             | 0
> decoder.icmpv6            | AFPacketeth28             | 0
> decoder.ppp               | AFPacketeth28             | 0
> decoder.pppoe             | AFPacketeth28             | 0
> decoder.gre               | AFPacketeth28             | 0
> decoder.vlan              | AFPacketeth28             | 0
> decoder.vlan_qinq         | AFPacketeth28             | 0
> decoder.teredo            | AFPacketeth28             | 69870
> decoder.ipv4_in_ipv6      | AFPacketeth28             | 0
> decoder.ipv6_in_ipv6      | AFPacketeth28             | 0
> decoder.avg_pkt_size      | AFPacketeth28             | 425
> decoder.max_pkt_size      | AFPacketeth28             | 1514
> defrag.ipv4.fragments     | AFPacketeth28             | 5737399
> defrag.ipv4.reassembled   | AFPacketeth28             | 1716620
> defrag.ipv4.timeouts      | AFPacketeth28             | 0
> defrag.ipv6.fragments     | AFPacketeth28             | 0
> defrag.ipv6.reassembled   | AFPacketeth28             | 0
> defrag.ipv6.timeouts      | AFPacketeth28             | 0
> defrag.max_frag_hits      | AFPacketeth28             | 0
> tcp.sessions              | AFPacketeth28             | 8745870
> tcp.ssn_memcap_drop       | AFPacketeth28             | 0
> tcp.pseudo                | AFPacketeth28             | 825844
> tcp.invalid_checksum      | AFPacketeth28             | 1397
> tcp.no_flow               | AFPacketeth28             | 0
> tcp.reused_ssn            | AFPacketeth28             | 10092
> tcp.memuse                | AFPacketeth28             | 51150736
> tcp.syn                   | AFPacketeth28             | 27340002
> tcp.synack                | AFPacketeth28             | 10362963
> tcp.rst                   | AFPacketeth28             | 2763392
> tcp.segment_memcap_drop   | AFPacketeth28             | 0
> tcp.stream_depth_reached  | AFPacketeth28             | 400
> tcp.reassembly_memuse     | AFPacketeth28             | 1449860762
> tcp.reassembly_gap        | AFPacketeth28             | 717227
> http.memuse               | AFPacketeth28             | 171203830
> http.memcap               | AFPacketeth28             | 0
> detect.alert              | AFPacketeth28             | 54250

- -Coop

On 3/24/2014 5:08 AM, Travel Factory S.r.l. wrote:
> On Mon, 24 Mar 2014 05:02:44 -0700
>  "Cooper F. Nelson" <cnelson at ucsd.edu> wrote:
>>
>> This is a known issue with this configuration, see:
>>
>>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
> 
> 
> That web page was my inspiration... but I can't get good results from a
> 200 mbit/s flow.... :-(
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTMCreAAoJEKIFRYQsa8FWOtsIAJ0kOsyt0/ojJU/N71Zz1FaO
eCCrHiNY06YY14W9a4hWUd9p2M+sJXJy+xNR3RB80geFyqp4W0OEGRBUQ+bT6LSA
Djzql2MDnW71dm0if7d7yj0hfwOqVpS3hW3vLyMuqjx1qwzA8epaRvJH2pVrBlr1
Rz+MOZRa9IyHwql3aE2GIJ70oAg2LPCCbts3nSpotX6AVkc44pcFFz584nsjye2X
U5I9ujart0AHIZEP/nQ2X5iTOuJHEa91cyrz1OtXZhJRi7fS5cQP9xIfX3hATPJx
HqdiGj4vz47FmnZ5bkSF9lb5Kr2xb42CjeLA8US30yNfn/7qzboa1ayoeETvMMg=
=QbOV
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list