[Oisf-users] Packets "dissappear" with PF_RING.

Peter Manev petermanev at gmail.com
Tue Oct 21 11:57:44 UTC 2014 

On Sun, Oct 12, 2014 at 11:53 AM, Xavier Romero <XRomero at nexica.com> wrote:
> Hello,
>
>
>
> I’ve switched from PCAP mode to PF_RING and now I realize that suricata is
> getting much less pakets, it is, instead of our usual 300.000 pkt/s to just
> 40.000 pkt/s (according to stats file). In fact alerts generated dropped
> drastically, my Kibana visualization can confirm it!
>
>
>
> Stats file does not report any drop, so it may be related to PF_RING? OR the
> way I’ve configured Suricata for PF_RING?
>
>
>
> My config:
>
> runmode: workers
>
> pfring:
>
>   - interface: eth2
>
>     threads: 8
>
>     cluster-id: 94
>
>     cluster-type: cluster_flow
>
>   - interface: eth3
>
>     threads: 8
>
>     cluster-id: 94
>
>     cluster-type: cluster_flow
>
>
>
> (I’ve got 2 x 8-core CPU, 32GB RAM)
>
>
>
> My previous config was default runmode with default pcap settings, it worked
> perfect, just that cpu was near 100% most time and I wanted it to scale a
> bit more J
>
>

How does your suricata.log look like when you start Suri with the -v
(verbose) switch? (Any errors/warnings?)

What is the value of max-pending-packets in yaml ?
What is the CPU usage with pf_ring?

You could try increasing the "ring slots" (from the default 4096) for pf_ring.

>
> PF_RING info:
>
>
>
> [root at nex-ids-01 suricata]# cat /proc/net/pf_ring/info
>
> PF_RING Version          : 6.0.2 ($Revision: 8014$)
>
> Total rings              : 16
>
>
>
> Standard (non DNA) Options
>
> Ring slots               : 4096
>
> Slot version             : 16
>
> Capture TX               : Yes [RX+TX]
>
> IP Defragment            : No
>
> Socket Mode              : Standard
>
> Transparent mode         : Yes [mode 0]
>
> Total plugins            : 0
>
> Cluster Fragment Queue   : 6819
>
> Cluster Fragment Discard : 825409065
>
>
>
>
>
> Cluster Fragment Discard could have something to do?
>
>
>
> From files /sys/class/net/eth2/statistics/rx_packets and
> /sys/class/net/eth3/statistics/rx_packets I can confirm that packets are
> arriving to the Linux box at a ratio of about 300.000 pkt/s however suricata
> reports a ratio of about 40.000 pkt/s in its stats file, without drops. I
> have no idea in which point the packets are dissappearing.
>
>
>
> Any clue?
>
>
>
> Best regards,
>
> Xavier Romero
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list