[Oisf-users] Packets "dissappear" with PF_RING.
Xavier Romero
XRomero at nexica.com
Sun Oct 12 09:53:24 UTC 2014
Hello,
I've switched from PCAP mode to PF_RING and now I realize that suricata is getting much less pakets, it is, instead of our usual 300.000 pkt/s to just 40.000 pkt/s (according to stats file). In fact alerts generated dropped drastically, my Kibana visualization can confirm it!
Stats file does not report any drop, so it may be related to PF_RING? OR the way I've configured Suricata for PF_RING?
My config:
runmode: workers
pfring:
- interface: eth2
threads: 8
cluster-id: 94
cluster-type: cluster_flow
- interface: eth3
threads: 8
cluster-id: 94
cluster-type: cluster_flow
(I've got 2 x 8-core CPU, 32GB RAM)
My previous config was default runmode with default pcap settings, it worked perfect, just that cpu was near 100% most time and I wanted it to scale a bit more :)
PF_RING info:
[root at nex-ids-01 suricata]# cat /proc/net/pf_ring/info
PF_RING Version : 6.0.2 ($Revision: 8014$)
Total rings : 16
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 6819
Cluster Fragment Discard : 825409065
Cluster Fragment Discard could have something to do?
>From files /sys/class/net/eth2/statistics/rx_packets and /sys/class/net/eth3/statistics/rx_packets I can confirm that packets are arriving to the Linux box at a ratio of about 300.000 pkt/s however suricata reports a ratio of about 40.000 pkt/s in its stats file, without drops. I have no idea in which point the packets are dissappearing.
Any clue?
Best regards,
Xavier Romero
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141012/3a813906/attachment.html>
More information about the Oisf-users
mailing list