[Oisf-users] Occasional burst of packet loss

Yasha Zislin coolyasha at hotmail.com
Mon Nov 3 18:09:44 UTC 2014

That makes sense. So you are saying that if there is a DOS attack to one host, only one thread would be utilized for inspection? It wouldnt just spread out across all detection threads?
Also, I did look at other threads and some have less capture.kernel_packets and some have MORE. These with higher values have no packet loss.
Here is another twist to the story.So these two SPAN ports that I monitor are before and after border firewall. Packet loss occurs only on internal interface. I would think that the firewall has high chance of stopping DOS attack.
Thanks for the info.

> Date: Mon, 3 Nov 2014 09:48:30 -0800
> From: cnelson at ucsd.edu
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Occasional burst of packet loss
> Hash: SHA1
> If you are monitoring a big DMZ network (like an ISP), then you will
> almost certainly see sporadic packet drops due to DOS events.  Suricata
> seems to have a hard limit of packets-per-second-per-core and will drop
> packets if there is flood to/from a specific host.
> - -Coop
> On 11/3/2014 8:02 AM, Yasha Zislin wrote:
> > I have a pretty beefy server monitoring two SPAN ports. A lot of packets
> > are flowing in there, mostly HTTP stuff.
> > I have 40 logical CPUs (20 per SPAN Port). I am using PF_RING.
> > 
> > I've noticed that I get an occasional packet loss and it's a burst of
> > packets. After that it is fine for days.
> > So couple of PF Ring instances report packet loss  (ie cat
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> c15Csb/lkWqaO4PepibTCegnbYva+lrSf3MGuGGFrfWNZUe8e3fXJOWqicxMrcvV
> wdiMOIMFAMU8YPTqCZqJ7lGrY0TP5R0gn+Q5CTIhgdDg1raWDz/SUCZlh9kg3GHN
> miWLLaIkWkhgcTznE86XRnz2Omq2IREwFwaQe8/kjC6QW42LqDMXncxw6pSAJ2bJ
> yIw3lIadw37FpVtfG0FGi3jv/KzbCLjFIUJyFVwI8KilLSG+/eAfH949yLjEMyvY
> 2FwQxLrMJqxaF1S/rHTjAfVt2GRbeAj5BmN990xfX0fOUYZCN6cj10VdHi3YTfM=
> =Ty7D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141103/cc29f7d6/attachment-0002.html>

More information about the Oisf-users mailing list