[Oisf-users] (no subject)

Cooper F. Nelson cnelson at ucsd.edu
Thu Mar 27 17:32:23 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If ifconfig is reporting dropped packets its a problem outside of
suricata.  Try adding these lines to /etc/sysctl.conf:

net.core.netdev_max_backlog = 8000000
net.core.rmem_default = 1073741824
net.core.rmem_max = 1073741824

and apply them via "sysctl -p".

And again, suricata will still drop packets in AF_PACKET/worker mode
while starting up or under heavy load from a single tcp/flow.  I copied
our current stats, as long as total dropped packets are under 1% it
should be considered acceptable.

I'm pretty sure suricata could be redesigned to eliminate dropped
packets by using some sort of queuing/backing store, but this would take
a major architectural change (which I'm not sure is justified).  I'm
thinking something like allowing a single, massive (i.e. multi-gigabyte)
AF_PACKET ringbuffer that then feeds the smaller worker queues.

Our current running stats listed below:

> capture.kernel_packets    | AFPacketeth21             | 1076783172
> capture.kernel_drops      | AFPacketeth21             | 6177235
> capture.kernel_packets    | AFPacketeth22             | 1069771882
> capture.kernel_drops      | AFPacketeth22             | 21077
> capture.kernel_packets    | AFPacketeth23             | 1199702484
> capture.kernel_drops      | AFPacketeth23             | 16609405
> capture.kernel_packets    | AFPacketeth24             | 1062094071
> capture.kernel_drops      | AFPacketeth24             | 13092
> capture.kernel_packets    | AFPacketeth25             | 1047585195
> capture.kernel_drops      | AFPacketeth25             | 1043384
> capture.kernel_packets    | AFPacketeth26             | 1056930985
> capture.kernel_drops      | AFPacketeth26             | 1303779
> capture.kernel_packets    | AFPacketeth27             | 1053915440
> capture.kernel_drops      | AFPacketeth27             | 9055
> capture.kernel_packets    | AFPacketeth28             | 1091784398
> capture.kernel_drops      | AFPacketeth28             | 772802
> capture.kernel_packets    | AFPacketeth29             | 1068336093
> capture.kernel_drops      | AFPacketeth29             | 1234613
> capture.kernel_packets    | AFPacketeth210            | 1088529008
> capture.kernel_drops      | AFPacketeth210            | 222452
> capture.kernel_packets    | AFPacketeth211            | 1075741347
> capture.kernel_drops      | AFPacketeth211            | 651078
> capture.kernel_packets    | AFPacketeth212            | 1072055259
> capture.kernel_drops      | AFPacketeth212            | 7510
> capture.kernel_packets    | AFPacketeth213            | 1095225814
> capture.kernel_drops      | AFPacketeth213            | 721384
> capture.kernel_packets    | AFPacketeth214            | 1081964802
> capture.kernel_drops      | AFPacketeth214            | 13128
> capture.kernel_packets    | AFPacketeth215            | 1150994478
> capture.kernel_drops      | AFPacketeth215            | 392463


On 3/27/2014 6:43 AM, Travel Factory S.r.l. wrote:
> 
> Results:
> ifconfig still has dropped packets... actually there are more now, and
> not only as multiple of 4...
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTNGCnAAoJEKIFRYQsa8FWfKUH/jN6qwysE4UjFmbpXQ8KTscw
EQBZE1NlQOTaofeiIeCavvZbD7eaCpWAY1kE61ptxcWSSFW94btD7XGD9nsq/PW7
abO+urz2GSC1ASMVHvVvhFmc/3tpSwTQsDuUmuHwHSGgkXUEDvT2h4xtC0UEX30p
wpw+PHzWlO6sYbcYc0sdmj88dNgw97YE+zJ87Fperpwu4D8lQEXXXkvtsvkIAaNK
D8kzWmiuAg72l5/RxvfZVxB1FyOkqxiGjJ736s1l5KVk8fw/zjSR2kHb87/R2+GH
xwvGUth0YtaicsctsSROn0DVhODPD/nqktADCCdh7z1INrSyGjfLlAGcf9O0zKE=
=d56v
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list