[Oisf-users] (no subject)

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok just noticed this.  I'm wondering if what you are observing is a
side-effect of the testing methodology, for example if you downloading a
bunch of these files as fast as possible suricata may be running out of
memory/buffers to track them all.

Maybe try downloading files with a one-second delay between them?  Or
increasing the size of the AF_PACKET ring buffer?

Again, in AF_PACKET/worker mode, there is a hard limit on the number of
packets suricata can track per receive queue.  I believe there is also a
limit in packets/second, per thread.  Filtering out high-volume flows
(e.g. Netflix) did wonders to improve our performance and reduce dropped
packets, so I again I have to wonder if your tests are causing a DOS
condition.

You might want to try this experiment again using and autofp runmode,
instead of workers.

- -Coop

On 3/28/2014 7:22 AM, Travel Factory S.r.l. wrote:

> 
> Repeating in this moment my tests (40 wget of the same file) I get 26
> files stored ok, and the rest are partial...
> 
> # ll *.meta | wc -l
> 930
> # grep -h STATE *.meta | sort | uniq -c
>     365 STATE:             CLOSED
>      46 STATE:             TRUNCATED
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTNb/WAAoJEKIFRYQsa8FWFXIH/j/xXOXO+f5DJMlMu0v7Fpep
p3Rhr7nbmlUVOmkQirWu8sy1oUHOxmDAD9+0k039GbEV/4ipSVIkwMhENRh6XRtC
hd/CeP0AJ8rSi7gRFQhQUs7sKhDht8uACM9Ed0+n7joHe6zRiGSyUmGiGdLssVMZ
m4EAoYnRdMdFGdRIeYHlSuYY/IoTMufid1mQr/Z2Vlio6mMTtw3opqn0TZJZQdE2
D3oJMpx2Uvk5ccMeUfwIwU7U4vx0NlHxUqU/LE0KPbw6OgzZ5yM9zd1UBekL3peW
Ep2fgp1YGcfWpAQW5bPIWTmKbDqDaQ0EH9Jpu93jpKArQEFA4YyIbbqzylOZCSA=
=WnVf
-----END PGP SIGNATURE-----