[Oisf-users] Occasional burst of packet loss

Yasha Zislin coolyasha at hotmail.com
Thu Nov 6 15:20:59 UTC 2014

I've tried af-packet mode in the beginning and had a high packet loss. Most likely I didnt configure it right but I've gotten so used to PF_RING, I think I can make it work just have to tune suricata config.
I've increased libhtp request-body-limit and response-body-limit values to 1gb. It seems to be holding up without any loss.I've also changed rx-usecs to 1. In addition, I've reduced pf_ring ring slots. So maybe this will just work. 
Thanks for all of the information.

> Date: Wed, 5 Nov 2014 09:30:13 -0800
> From: cnelson at ucsd.edu
> To: coolyasha at hotmail.com; petermanev at gmail.com
> CC: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Occasional burst of packet loss
> Hash: SHA1
> My config is a little different.
> I'm running Suricata 2.1dev, built from the git sources.  I usually
> update it weekly.
> I'm running af-packet/mmap mode; which has an option to set a socket
> buffer per-thread.
> In my case, increasing the socket buffer size resulted in less (but not
> zero) packet drops during bursty traffic.
> I also admit that I'm not familiar with the inner workings of PF_RING,
> but it may be that the addition of a socket-buffer in af-packet/mmap
> mode can mitigate packet drops due to periods of extremely high packet
> rates.  The linux kernerl and PF_RING are not magic and if anywhere in
> the networking stack you are pushing packets faster than the relevant
> FIFO can process them you will get packet drops.  Buffered IO can
> alleviate this to a certain extent.
> So, if you have the time, I would suggest trying a test with the latest
> git release, fresh kernel/drivers and af-packet/mmap mode with at least
> a megabyte of socket buffers.
> - -Coop
> On 11/5/2014 7:28 AM, Yasha Zislin wrote:
> > I am using latest Suricata release 2.0.4. BTW, I've had 2.0.1 version
> > running recently and I had a drastic drop in number of alerts after like
> > 5 hours of starting Suricata. 2.0.4 fixed that.
> > 
> > Actually, I managed to get pf_ring number of slots way higher than
> > suggested default.
> > I found out that maximum number for me was 400000. Originally during
> > config tweaking, I've noticed that higher number of slots did improve
> > packet loss. 
> > Recently, I've started testing with lower number of slots (200000), same
> > behavior as far as occasional burst of packet loss.
> > 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> TBqv7IsjW7/tmS+u+k6VpRvP/1BbmMEdWbbOfz66uSaxFMMaZZFAC0PB9DXfROAL
> njdOQiCrienEsJD5xhIZTjZ+Q+brv9WicUAr0YtLKZ25/Y9jPD/crXQ21aBWa+yp
> IKIuhluclLBC0brd9nHGweKwd9BGc7e4NOUFu2gIGWVn3053OiZu1lyuqzrE3Fcw
> FP0sUJ+afhO8COrND+jehHoVTuLRde0+wbCav1srq3EcMGuctOhKBbqhvJS9iF4n
> +fvDTmeItxvZSOfDuMxyMfhT07Vt7GS4/T7EY+udaQhmiPTiJy1fkmuyAxTLtP0=
> =DxQR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141106/22e313bb/attachment-0002.html>

More information about the Oisf-users mailing list