[Oisf-users] Occasional burst of packet loss

Yasha Zislin coolyasha at hotmail.com
Wed Nov 5 15:28:51 UTC 2014 

I am using latest Suricata release 2.0.4. BTW, I've had 2.0.1 version running recently and I had a drastic drop in number of alerts after like 5 hours of starting Suricata. 2.0.4 fixed that.
Actually, I managed to get pf_ring number of slots way higher than suggested default.I found out that maximum number for me was 400000. Originally during config tweaking, I've noticed that higher number of slots did improve packet loss. Recently, I've started testing with lower number of slots (200000), same behavior as far as occasional burst of packet loss.
For the NICs, I've done the following:# ethtool -k ethxFeatures for ethx:rx-checksumming: offtx-checksumming: offscatter-gather: offtcp-segmentation-offload: offudp-fragmentation-offload: offgeneric-segmentation-offload: offgeneric-receive-offload: offlarge-receive-offload: offntuple-filters: offreceive-hashing: off
# ethtool -c ethxrx-usecs: 1000
# ethtool -g ethxRing parameters for ethx:Pre-set maximums:RX:             4078RX Mini:        0RX Jumbo:       0TX:             4078Current hardware settings:RX:             4078RX Mini:        0RX Jumbo:       0TX:             4078

> Date: Wed, 5 Nov 2014 00:11:29 +0100
> Subject: Re: [Oisf-users] Occasional burst of packet loss
> From: petermanev at gmail.com
> To: coolyasha at hotmail.com
> CC: cnelson at ucsd.edu; oisf-users at lists.openinfosecfoundation.org
> 
> On Tue, Nov 4, 2014 at 5:38 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> > How do you increase socket buffers?
> >
> > I've increased a lot of buffers already. That's why my memory utilization is
> > high.
> > I've also maxed out NIC buffers and PF_RING ring size.
> 
> Could you describe how and which NIC buffers did you max out?
> 
> Suggestion for pf_ring in general:
> In a terminal:
> -> modprobe pf_ring transparent_mode=0 min_num_slots=65534 enable_tx_capture=0
> 
> to confirm:
> -> cat /proc/net/pf_ring/info
> 
> In suricata.yaml
> ->max-pending-packets: 65534
> 
> Which Suricata version are you using?
> 
> >
> > Thanks.
> >
> >> Date: Tue, 4 Nov 2014 08:11:36 -0800
> >> From: cnelson at ucsd.edu
> >> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> >> Subject: Re: [Oisf-users] Occasional burst of packet loss
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Not sure if this works the same as with PF_RING, but I've found
> >> increasing the socket buffers can help with packet drops during DOS
> >> attacks when running in AF_PACKET mode. eg:
> >>
> >> > buffer-size: 1048576
> >>
> >> On 11/3/2014 11:35 AM, Yasha Zislin wrote:
> >> >
> >> > I guess, I am trying to figure out if there is a way to reduce packet
> >> > loss and improve performance while being attacked by either DDOS or
> >> > something else.
> >> >
> >> > Thanks.
> >> >
> >>
> >> - --
> >> Cooper Nelson
> >> Network Security Analyst
> >> UCSD ACT Security Team
> >> cnelson at ucsd.edu x41042
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v2.0.17 (MingW32)
> >>
> >> iQEcBAEBAgAGBQJUWPq4AAoJEKIFRYQsa8FWVu0IAMr8JKausfNOpGwachndvXn7
> >> 5GKrmgWi/LJ2jNIWc5UVpC5a/JfxfS4WR2crzWbTpaSqjiIGwskhmfsFEg9zaUfq
> >> d9npoo8W6hL7EW/18f+29zajtwoCry58W1ZqLHFPBBEfOoGV0f4NQOCEi6tudf6M
> >> CEFIkyhEMeXhNzg++bm22TUjhEHesa1S92tStS0zniYJrRhyGTX6B/kXEzedEk/l
> >> Adx5yzgJrWAsSFgxTR6I1JjsOaBwQvUqsE7uYlEQb9JVOpwK0DGQitXQfUmQ+vWx
> >> nFMkxHAkqIgOJq4WXn1SGnUEZ9hsojZIMh+C1kUc6HUPdOCUlJKVCKQYyDoX4js=
> >> =9Bcm
> >> -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
> 
> 
> 
> -- 
> Regards,
> Peter Manev
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141105/f2165f43/attachment-0002.html>

More information about the Oisf-users mailing list