[Oisf-users] Occasional burst of packet loss

Yasha Zislin coolyasha at hotmail.com
Mon Nov 3 16:02:31 UTC 2014 

I have a pretty beefy server monitoring two SPAN ports. A lot of packets are flowing in there, mostly HTTP stuff.I have 40 logical CPUs (20 per SPAN Port). I am using PF_RING.
I've noticed that I get an occasional packet loss and it's a burst of packets. After that it is fine for days.So couple of PF Ring instances report packet loss  (ie cat /proc/net/pf_ring/*eth* | grep "Tot Pkt Lost".Here is the first event after packet loss occured. It happens within a minute and then stops.capture.kernel_packets    | RxPFReth213               | 366410186capture.kernel_drops      | RxPFReth213               | 639312dns.memuse                | RxPFReth213               | 3089534dns.memcap_state          | RxPFReth213               | 0dns.memcap_global         | RxPFReth213               | 0decoder.pkts              | RxPFReth213               | 366410186decoder.bytes             | RxPFReth213               | 268927212125decoder.invalid           | RxPFReth213               | 4111244decoder.ipv4              | RxPFReth213               | 365972036decoder.ipv6              | RxPFReth213               | 104297decoder.ethernet          | RxPFReth213               | 366410186decoder.raw               | RxPFReth213               | 0decoder.sll               | RxPFReth213               | 0decoder.tcp               | RxPFReth213               | 267634781decoder.udp               | RxPFReth213               | 7537800decoder.sctp              | RxPFReth213               | 0decoder.icmpv4            | RxPFReth213               | 325917decoder.icmpv6            | RxPFReth213               | 0decoder.ppp               | RxPFReth213               | 0decoder.pppoe             | RxPFReth213               | 0decoder.gre               | RxPFReth213               | 0decoder.vlan              | RxPFReth213               | 0decoder.vlan_qinq         | RxPFReth213               | 0decoder.teredo            | RxPFReth213               | 1410decoder.ipv4_in_ipv6      | RxPFReth213               | 0decoder.ipv6_in_ipv6      | RxPFReth213               | 0decoder.avg_pkt_size      | RxPFReth213               | 733decoder.max_pkt_size      | RxPFReth213               | 1514defrag.ipv4.fragments     | RxPFReth213               | 84459996defrag.ipv4.reassembled   | RxPFReth213               | 180defrag.ipv4.timeouts      | RxPFReth213               | 0defrag.ipv6.fragments     | RxPFReth213               | 0defrag.ipv6.reassembled   | RxPFReth213               | 0defrag.ipv6.timeouts      | RxPFReth213               | 0defrag.max_frag_hits      | RxPFReth213               | 0tcp.sessions              | RxPFReth213               | 2160679tcp.ssn_memcap_drop       | RxPFReth213               | 0tcp.pseudo                | RxPFReth213               | 335927tcp.invalid_checksum      | RxPFReth213               | 0tcp.no_flow               | RxPFReth213               | 0tcp.reused_ssn            | RxPFReth213               | 1624tcp.memuse                | RxPFReth213               | 15770704tcp.syn                   | RxPFReth213               | 2457006tcp.synack                | RxPFReth213               | 2182331tcp.rst                   | RxPFReth213               | 1386908tcp.segment_memcap_drop   | RxPFReth213               | 0tcp.stream_depth_reached  | RxPFReth213               | 328tcp.reassembly_memuse     | RxPFReth213               | 40356260000tcp.reassembly_gap        | RxPFReth213               | 766124http.memuse               | RxPFReth213               | 85581753http.memcap               | RxPFReth213               | 0detect.alert              | RxPFReth213               | 6375
I just hope it is not an attack attempt to evade IDS.
Any help would be appreciated.
Thanks. 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141103/b365427e/attachment-0001.html>

More information about the Oisf-users mailing list