[Oisf-users] What are capture.kernel_packets, capture.kernel_drops
Peter Manev
petermanev at gmail.com
Sun Oct 12 08:19:52 UTC 2014
On Fri, Oct 10, 2014 at 1:10 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
> On 10/10/2014, at 10:44 am, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>
>> Signed PGP part
>> Can you share your bpf filter, on or off the list?
>>
>> Have you tried worker mode, irqbalance and using all cores as described
>> in this guide?
>>
>> > https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>>
>
> Yes, I have but the difference (I suspect) is that I need to run argus and vortex on the same host.
>
> Here is what I get when I use this setup:
>
> Oct 10 11:52:14 secmontst01 suricata: 10/10/2014 -- 11:52:14 - <Notice> - all 32 packet processing threads, 3 management threads initialized, engine started.
>
> Date: 10/10/2014 -- 12:09:45 (uptime: 0d, 00h 17m 39s)
> capture.kernel_packets | RxAFP1 | 19010720
> capture.kernel_drops | RxAFP1 | 4554338
> capture.kernel_packets | RxAFP2 | 20855771
> capture.kernel_drops | RxAFP2 | 6538616
> capture.kernel_packets | RxAFP3 | 20211500
> capture.kernel_drops | RxAFP3 | 5418031
> capture.kernel_packets | RxAFP4 | 22586444
> capture.kernel_drops | RxAFP4 | 8229282
> capture.kernel_packets | RxAFP5 | 30365638
> capture.kernel_drops | RxAFP5 | 15239780
> capture.kernel_packets | RxAFP6 | 20725505
> capture.kernel_drops | RxAFP6 | 5789617
> capture.kernel_packets | RxAFP7 | 22004167
> capture.kernel_drops | RxAFP7 | 7708126
> capture.kernel_packets | RxAFP8 | 20861213
> capture.kernel_drops | RxAFP8 | 5999151
> capture.kernel_packets | RxAFP9 | 19993308
> capture.kernel_drops | RxAFP9 | 5551356
> capture.kernel_packets | RxAFP10 | 20493995
> capture.kernel_drops | RxAFP10 | 5672954
> capture.kernel_packets | RxAFP11 | 19237837
> capture.kernel_drops | RxAFP11 | 4745524
> capture.kernel_packets | RxAFP12 | 18959372
> capture.kernel_drops | RxAFP12 | 4636839
> capture.kernel_packets | RxAFP13 | 19265602
> capture.kernel_drops | RxAFP13 | 4853184
> capture.kernel_packets | RxAFP14 | 20297222
> capture.kernel_drops | RxAFP14 | 5709465
> capture.kernel_packets | RxAFP15 | 20886974
> capture.kernel_drops | RxAFP15 | 6746690
> capture.kernel_packets | RxAFP16 | 16575452
> capture.kernel_drops | RxAFP16 | 3134244
>
> config file will be here for a few days: https://webdropoff.auckland.ac.nz/cgi-bin/pickup/52881b606690eb4041d8f84667a593d6/182886
>
> one minor quirk I noticed when doing tuning is that
>
> sudo ethtool -n eth3 rx-flow-hash udp4
>
> fails: Cannot get RX network flow hashing options: Operation not supported
>
> I am using a recent version of the intel ixgbe drivers.
>
Hi,
I had a look at your config file and noticed you have done some
editing in terms of the structure of the yaml file - highly
inadvisable from my perspective.
I also noticed - run-mode: worker, it should be run-mode: workerS.
suricata --list-runmodes will give you the list of options you can try
- I would still recommend workers for af_packet :).
There are also some editions in the cpu affinity section that I can
not see the effect of.
This does not look right either:
LOCAL: 10.2.0.0/16,172.23.0.0/16,172.24.0.0/16
HOME_NET: "[$LOCAL]"
EXTERNAL_NET: "![$LOCAL]"
It should follow the standard formating as defined in your default yaml -
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
My suggestion:
Start with a default,clean yaml.
Adjust the necessary variables (but do not change the structure of the
suricata.yaml)
Do not adjust the CPU affinity section untill you have reached optimal
performance.
Have a look at the suricata.log (and start suricata in a verbose mode)
- a lot of useful info can be found there.
Disable all NIC offloading (ethtool -k ethX will give you the current status)
Thank you
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list