[Oisf-users] Occasional burst of packet loss

Peter Manev petermanev at gmail.com
Wed Nov 5 16:26:51 UTC 2014 

On Wed, Nov 5, 2014 at 4:28 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> I am using latest Suricata release 2.0.4. BTW, I've had 2.0.1 version
> running recently and I had a drastic drop in number of alerts after like 5
> hours of starting Suricata. 2.0.4 fixed that.
>
> Actually, I managed to get pf_ring number of slots way higher than suggested
> default.
> I found out that maximum number for me was 400000. Originally during config
> tweaking, I've noticed that higher number of slots did improve packet loss.
> Recently, I've started testing with lower number of slots (200000), same
> behavior as far as occasional burst of packet loss.
>
> For the NICs, I've done the following:
> # ethtool -k ethx
> Features for ethx:
> rx-checksumming: off
> tx-checksumming: off
> scatter-gather: off
> tcp-segmentation-offload: off
> udp-fragmentation-offload: off
> generic-segmentation-offload: off
> generic-receive-offload: off
> large-receive-offload: off
> ntuple-filters: off
> receive-hashing: off
>
> # ethtool -c ethx
> rx-usecs: 1000
>

I would also try rx-usecs: 1 - to see if any difference in performance.
What is your max-pending-packets set to ?

> # ethtool -g ethx
> Ring parameters for ethx:
> Pre-set maximums:
> RX:             4078
> RX Mini:        0
> RX Jumbo:       0
> TX:             4078
> Current hardware settings:
> RX:             4078
> RX Mini:        0
> RX Jumbo:       0
> TX:             4078
>
>
>> Date: Wed, 5 Nov 2014 00:11:29 +0100
>> Subject: Re: [Oisf-users] Occasional burst of packet loss
>> From: petermanev at gmail.com
>> To: coolyasha at hotmail.com
>> CC: cnelson at ucsd.edu; oisf-users at lists.openinfosecfoundation.org
>
>>
>> On Tue, Nov 4, 2014 at 5:38 PM, Yasha Zislin <coolyasha at hotmail.com>
>> wrote:
>> > How do you increase socket buffers?
>> >
>> > I've increased a lot of buffers already. That's why my memory
>> > utilization is
>> > high.
>> > I've also maxed out NIC buffers and PF_RING ring size.
>>
>> Could you describe how and which NIC buffers did you max out?
>>
>> Suggestion for pf_ring in general:
>> In a terminal:
>> -> modprobe pf_ring transparent_mode=0 min_num_slots=65534
>> enable_tx_capture=0
>>
>> to confirm:
>> -> cat /proc/net/pf_ring/info
>>
>> In suricata.yaml
>> ->max-pending-packets: 65534
>>
>> Which Suricata version are you using?
>>
>> >
>> > Thanks.
>> >
>> >> Date: Tue, 4 Nov 2014 08:11:36 -0800
>> >> From: cnelson at ucsd.edu
>> >> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
>> >> Subject: Re: [Oisf-users] Occasional burst of packet loss
>> >>
>> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA1
>> >>
>> >> Not sure if this works the same as with PF_RING, but I've found
>> >> increasing the socket buffers can help with packet drops during DOS
>> >> attacks when running in AF_PACKET mode. eg:
>> >>
>> >> > buffer-size: 1048576
>> >>
>> >> On 11/3/2014 11:35 AM, Yasha Zislin wrote:
>> >> >
>> >> > I guess, I am trying to figure out if there is a way to reduce packet
>> >> > loss and improve performance while being attacked by either DDOS or
>> >> > something else.
>> >> >
>> >> > Thanks.
>> >> >
>> >>
>> >> - --
>> >> Cooper Nelson
>> >> Network Security Analyst
>> >> UCSD ACT Security Team
>> >> cnelson at ucsd.edu x41042
>> >> -----BEGIN PGP SIGNATURE-----
>> >> Version: GnuPG v2.0.17 (MingW32)
>> >>
>> >> iQEcBAEBAgAGBQJUWPq4AAoJEKIFRYQsa8FWVu0IAMr8JKausfNOpGwachndvXn7
>> >> 5GKrmgWi/LJ2jNIWc5UVpC5a/JfxfS4WR2crzWbTpaSqjiIGwskhmfsFEg9zaUfq
>> >> d9npoo8W6hL7EW/18f+29zajtwoCry58W1ZqLHFPBBEfOoGV0f4NQOCEi6tudf6M
>> >> CEFIkyhEMeXhNzg++bm22TUjhEHesa1S92tStS0zniYJrRhyGTX6B/kXEzedEk/l
>> >> Adx5yzgJrWAsSFgxTR6I1JjsOaBwQvUqsE7uYlEQb9JVOpwK0DGQitXQfUmQ+vWx
>> >> nFMkxHAkqIgOJq4WXn1SGnUEZ9hsojZIMh+C1kUc6HUPdOCUlJKVCKQYyDoX4js=
>> >> =9Bcm
>> >> -----END PGP SIGNATURE-----
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Training now available: http://suricata-ids.org/training/
>>
>>
>>
>> --
>> Regards,
>> Peter Manev



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list