[Oisf-users] Occasional burst of packet loss

Yasha Zislin coolyasha at hotmail.com
Wed Nov 5 16:33:27 UTC 2014


I dont recall from which article I found to set rx-usecs to 1000 but I will give it a shot with 1.
For max-pending-packets, I have it set to 65000. I believe this is the maximum(or close at least).

> Date: Wed, 5 Nov 2014 17:26:51 +0100
> Subject: Re: [Oisf-users] Occasional burst of packet loss
> From: petermanev at gmail.com
> To: coolyasha at hotmail.com
> CC: cnelson at ucsd.edu; oisf-users at lists.openinfosecfoundation.org
> 
> On Wed, Nov 5, 2014 at 4:28 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> > I am using latest Suricata release 2.0.4. BTW, I've had 2.0.1 version
> > running recently and I had a drastic drop in number of alerts after like 5
> > hours of starting Suricata. 2.0.4 fixed that.
> >
> > Actually, I managed to get pf_ring number of slots way higher than suggested
> > default.
> > I found out that maximum number for me was 400000. Originally during config
> > tweaking, I've noticed that higher number of slots did improve packet loss.
> > Recently, I've started testing with lower number of slots (200000), same
> > behavior as far as occasional burst of packet loss.
> >
> > For the NICs, I've done the following:
> > # ethtool -k ethx
> > Features for ethx:
> > rx-checksumming: off
> > tx-checksumming: off
> > scatter-gather: off
> > tcp-segmentation-offload: off
> > udp-fragmentation-offload: off
> > generic-segmentation-offload: off
> > generic-receive-offload: off
> > large-receive-offload: off
> > ntuple-filters: off
> > receive-hashing: off
> >
> > # ethtool -c ethx
> > rx-usecs: 1000
> >
> 
> I would also try rx-usecs: 1 - to see if any difference in performance.
> What is your max-pending-packets set to ?
> 
> > # ethtool -g ethx
> > Ring parameters for ethx:
> > Pre-set maximums:
> > RX:             4078
> > RX Mini:        0
> > RX Jumbo:       0
> > TX:             4078
> > Current hardware settings:
> > RX:             4078
> > RX Mini:        0
> > RX Jumbo:       0
> > TX:             4078
> >
> >
> >> Date: Wed, 5 Nov 2014 00:11:29 +0100
> >> Subject: Re: [Oisf-users] Occasional burst of packet loss
> >> From: petermanev at gmail.com
> >> To: coolyasha at hotmail.com
> >> CC: cnelson at ucsd.edu; oisf-users at lists.openinfosecfoundation.org
> >
> >>
> >> On Tue, Nov 4, 2014 at 5:38 PM, Yasha Zislin <coolyasha at hotmail.com>
> >> wrote:
> >> > How do you increase socket buffers?
> >> >
> >> > I've increased a lot of buffers already. That's why my memory
> >> > utilization is
> >> > high.
> >> > I've also maxed out NIC buffers and PF_RING ring size.
> >>
> >> Could you describe how and which NIC buffers did you max out?
> >>
> >> Suggestion for pf_ring in general:
> >> In a terminal:
> >> -> modprobe pf_ring transparent_mode=0 min_num_slots=65534
> >> enable_tx_capture=0
> >>
> >> to confirm:
> >> -> cat /proc/net/pf_ring/info
> >>
> >> In suricata.yaml
> >> ->max-pending-packets: 65534
> >>
> >> Which Suricata version are you using?
> >>
> >> >
> >> > Thanks.
> >> >
> >> >> Date: Tue, 4 Nov 2014 08:11:36 -0800
> >> >> From: cnelson at ucsd.edu
> >> >> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> >> >> Subject: Re: [Oisf-users] Occasional burst of packet loss
> >> >>
> >> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> >> Hash: SHA1
> >> >>
> >> >> Not sure if this works the same as with PF_RING, but I've found
> >> >> increasing the socket buffers can help with packet drops during DOS
> >> >> attacks when running in AF_PACKET mode. eg:
> >> >>
> >> >> > buffer-size: 1048576
> >> >>
> >> >> On 11/3/2014 11:35 AM, Yasha Zislin wrote:
> >> >> >
> >> >> > I guess, I am trying to figure out if there is a way to reduce packet
> >> >> > loss and improve performance while being attacked by either DDOS or
> >> >> > something else.
> >> >> >
> >> >> > Thanks.
> >> >> >
> >> >>
> >> >> - --
> >> >> Cooper Nelson
> >> >> Network Security Analyst
> >> >> UCSD ACT Security Team
> >> >> cnelson at ucsd.edu x41042
> >> >> -----BEGIN PGP SIGNATURE-----
> >> >> Version: GnuPG v2.0.17 (MingW32)
> >> >>
> >> >> iQEcBAEBAgAGBQJUWPq4AAoJEKIFRYQsa8FWVu0IAMr8JKausfNOpGwachndvXn7
> >> >> 5GKrmgWi/LJ2jNIWc5UVpC5a/JfxfS4WR2crzWbTpaSqjiIGwskhmfsFEg9zaUfq
> >> >> d9npoo8W6hL7EW/18f+29zajtwoCry58W1ZqLHFPBBEfOoGV0f4NQOCEi6tudf6M
> >> >> CEFIkyhEMeXhNzg++bm22TUjhEHesa1S92tStS0zniYJrRhyGTX6B/kXEzedEk/l
> >> >> Adx5yzgJrWAsSFgxTR6I1JjsOaBwQvUqsE7uYlEQb9JVOpwK0DGQitXQfUmQ+vWx
> >> >> nFMkxHAkqIgOJq4WXn1SGnUEZ9hsojZIMh+C1kUc6HUPdOCUlJKVCKQYyDoX4js=
> >> >> =9Bcm
> >> >> -----END PGP SIGNATURE-----
> >> >
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > Training now available: http://suricata-ids.org/training/
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> 
> 
> 
> -- 
> Regards,
> Peter Manev
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141105/1ee86723/attachment-0002.html>


More information about the Oisf-users mailing list