[Oisf-users] Configuration strategy for TCP segment pools/chunk pool

Peter Manev petermanev at gmail.com
Sun May 25 14:00:29 UTC 2014 

On Sun, May 25, 2014 at 11:26 AM, Darren Spruell <phatbuckett at gmail.com> wrote:
> Suricata 2.0 REL, Linux 3.10.40, AF_PACKET autofp runmode, 64 GB RAM.
>
> I'm gimping through some Suricata tuning and dealing with high (66%!)
> rates of packet loss. I have a number of limits set fairly high and am
> looking for signs of what else may be contributing to packet drop.
> Wondering currently about this type of output:
>
> 25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 4 had a peak
> use of 2041 segments, more than the prealloc setting of 256
> 25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 16 had a
> peak use of 105439 segments, more than the prealloc setting of 9216
> 25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 112 had a
> peak use of 396057 segments, more than the prealloc setting of 30720
> 25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 248 had a
> peak use of 189218 segments, more than the prealloc setting of 16384
> 25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 512 had a
> peak use of 506936 segments, more than the prealloc setting of 32768
> 25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 768 had a
> peak use of 434310 segments, more than the prealloc setting of 49152
> 25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 1448 had a
> peak use of 961419 segments, more than the prealloc setting of 131072
> 25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 65535 had a
> peak use of 89941 segments, more than the prealloc setting of 32768
> 25/5/2014 -- 00:36:29 - <Info> - TCP segment chunk pool had a peak use
> of 400440 chunks, more than the prealloc setting of 49152
>
> As can be seen a number of the prealloc settings have been raised from
> the defaults, and these were set based on a previous set of output
> lines from previous run where the preallocated pool size was set to be
> slightly higher than the peak use at that time.
>
> I don't quite understand what my aim should be with respect to these
> settings. Is it useful to preallocate segment pool capacity to support
> the peak use figures a sensor deals with? Are these segment pool
> settings potentially important for performance tuning? Could
> suboptimal settings potentially affect packet drop on a sensor?
>
> Thanks!
>

Have you tried workers runmode instead of autofp? (huge perf gain in
my experiance)
How many rules are you using/loading ?


-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list