[Oisf-users] Occasional burst of packet loss

Cooper F. Nelson cnelson at ucsd.edu
Wed Nov 5 17:30:13 UTC 2014

Hash: SHA1

My config is a little different.

I'm running Suricata 2.1dev, built from the git sources.  I usually
update it weekly.

I'm running af-packet/mmap mode; which has an option to set a socket
buffer per-thread.

In my case, increasing the socket buffer size resulted in less (but not
zero) packet drops during bursty traffic.

I also admit that I'm not familiar with the inner workings of PF_RING,
but it may be that the addition of a socket-buffer in af-packet/mmap
mode can mitigate packet drops due to periods of extremely high packet
rates.  The linux kernerl and PF_RING are not magic and if anywhere in
the networking stack you are pushing packets faster than the relevant
FIFO can process them you will get packet drops.  Buffered IO can
alleviate this to a certain extent.

So, if you have the time, I would suggest trying a test with the latest
git release, fresh kernel/drivers and af-packet/mmap mode with at least
a megabyte of socket buffers.

- -Coop

On 11/5/2014 7:28 AM, Yasha Zislin wrote:
> I am using latest Suricata release 2.0.4. BTW, I've had 2.0.1 version
> running recently and I had a drastic drop in number of alerts after like
> 5 hours of starting Suricata. 2.0.4 fixed that.
> Actually, I managed to get pf_ring number of slots way higher than
> suggested default.
> I found out that maximum number for me was 400000. Originally during
> config tweaking, I've noticed that higher number of slots did improve
> packet loss. 
> Recently, I've started testing with lower number of slots (200000), same
> behavior as far as occasional burst of packet loss.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list