[Oisf-users] Occasional burst of packet loss

Michal Purzynski michal at rsbac.org
Thu Nov 6 17:07:26 UTC 2014


body-limit 1GB? That's huge, isn't it? How does the performance look like?

I'm running with something around 20MB+

On 06/11/14 16:20, Yasha Zislin wrote:
> I've tried af-packet mode in the beginning and had a high packet loss. 
> Most likely I didnt configure it right but I've gotten so used to 
> PF_RING, I think I can make it work just have to tune suricata config.
>
> I've increased libhtp request-body-limit and response-body-limit 
> values to 1gb. It seems to be holding up without any loss.
> I've also changed rx-usecs to 1. In addition, I've reduced pf_ring 
> ring slots. So maybe this will just work.
>
> Thanks for all of the information.
>
>
>
> > Date: Wed, 5 Nov 2014 09:30:13 -0800
> > From: cnelson at ucsd.edu
> > To: coolyasha at hotmail.com; petermanev at gmail.com
> > CC: oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Occasional burst of packet loss
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > My config is a little different.
> >
> > I'm running Suricata 2.1dev, built from the git sources. I usually
> > update it weekly.
> >
> > I'm running af-packet/mmap mode; which has an option to set a socket
> > buffer per-thread.
> >
> > In my case, increasing the socket buffer size resulted in less (but not
> > zero) packet drops during bursty traffic.
> >
> > I also admit that I'm not familiar with the inner workings of PF_RING,
> > but it may be that the addition of a socket-buffer in af-packet/mmap
> > mode can mitigate packet drops due to periods of extremely high packet
> > rates. The linux kernerl and PF_RING are not magic and if anywhere in
> > the networking stack you are pushing packets faster than the relevant
> > FIFO can process them you will get packet drops. Buffered IO can
> > alleviate this to a certain extent.
> >
> > So, if you have the time, I would suggest trying a test with the latest
> > git release, fresh kernel/drivers and af-packet/mmap mode with at least
> > a megabyte of socket buffers.
> >
> > - -Coop
> >
> > On 11/5/2014 7:28 AM, Yasha Zislin wrote:
> > > I am using latest Suricata release 2.0.4. BTW, I've had 2.0.1 version
> > > running recently and I had a drastic drop in number of alerts 
> after like
> > > 5 hours of starting Suricata. 2.0.4 fixed that.
> > >
> > > Actually, I managed to get pf_ring number of slots way higher than
> > > suggested default.
> > > I found out that maximum number for me was 400000. Originally during
> > > config tweaking, I've noticed that higher number of slots did improve
> > > packet loss.
> > > Recently, I've started testing with lower number of slots 
> (200000), same
> > > behavior as far as occasional burst of packet loss.
> > >
> >
> > - --
> > Cooper Nelson
> > Network Security Analyst
> > UCSD ACT Security Team
> > cnelson at ucsd.edu x41042
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.17 (MingW32)
> >
> > iQEcBAEBAgAGBQJUWl6lAAoJEKIFRYQsa8FW8WAH/0NN7NogZ4B+KlbQla4EBZOC
> > TBqv7IsjW7/tmS+u+k6VpRvP/1BbmMEdWbbOfz66uSaxFMMaZZFAC0PB9DXfROAL
> > njdOQiCrienEsJD5xhIZTjZ+Q+brv9WicUAr0YtLKZ25/Y9jPD/crXQ21aBWa+yp
> > IKIuhluclLBC0brd9nHGweKwd9BGc7e4NOUFu2gIGWVn3053OiZu1lyuqzrE3Fcw
> > FP0sUJ+afhO8COrND+jehHoVTuLRde0+wbCav1srq3EcMGuctOhKBbqhvJS9iF4n
> > +fvDTmeItxvZSOfDuMxyMfhT07Vt7GS4/T7EY+udaQhmiPTiJy1fkmuyAxTLtP0=
> > =DxQR
> > -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141106/831949d0/attachment-0002.html>


More information about the Oisf-users mailing list