[Oisf-users] file truncated

Peter Manev petermanev at gmail.com
Tue Apr 21 13:09:50 UTC 2015 

On Tue, Apr 21, 2015 at 10:21 AM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
> Hi,
>
>> Miso, as a sanity check could you run 'ethtool -k' on your monitor
>> interface and copy the results here?
> I confirm i disabled the NIC offloading on eth0 and eth1 and if i run 'ethtool -k' have the same result for the two interfaces:
>
> Features for eth1:
> rx-checksumming: off
> tx-checksumming: off
>         tx-checksum-ipv4: off
>         tx-checksum-unneeded: off [fixed]
>         tx-checksum-ip-generic: off [fixed]
>         tx-checksum-ipv6: off
>         tx-checksum-fcoe-crc: off [fixed]
>         tx-checksum-sctp: off [fixed]
> scatter-gather: off
>         tx-scatter-gather: off
>         tx-scatter-gather-fraglist: off [fixed]
> tcp-segmentation-offload: off
>         tx-tcp-segmentation: off
>         tx-tcp-ecn-segmentation: off
>         tx-tcp6-segmentation: off
> udp-fragmentation-offload: off [fixed]
> generic-segmentation-offload: off
> generic-receive-offload: off
> large-receive-offload: off [fixed]
> rx-vlan-offload: off
> tx-vlan-offload: off
> ntuple-filters: off [fixed]
> receive-hashing: off [fixed]
> highdma: on
> rx-vlan-filter: off [fixed]
> vlan-challenged: off [fixed]
> tx-lockless: off [fixed]
> netns-local: off [fixed]
> tx-gso-robust: off [fixed]
> tx-fcoe-segmentation: off [fixed]
> fcoe-mtu: off [fixed]
> tx-nocache-copy: on
> loopback: off [fixed]
>

Everything seems to be OFF - which is good :)

>> Are there a lot of drops/gaps in the stats.log?
> I don't have kernel drops but i noticed i have some tcp gaps. I'm attaching some graphs.

Not only gaps - form the graphs there seems to be memcap drops as well
- that combination can lead to the file extraction problems.

Have you done any tuning of the suricata.yaml?
What type of traffic and how much of it are you inspecting on what HW ?

>
>> What is your set up - is it entirely virtual(including the mirror technique)?
> My set up is entirely physical.
>
>
> ----- Messaggio originale -----
> Da: "Cooper F. Nelson" <cnelson at ucsd.edu>
> A: "Peter Manev" <petermanev at gmail.com>
> Cc: "Miso Mijatovic" <mmijatovic at sorint.it>, oisf-users at lists.openinfosecfoundation.org
> Inviato: Lunedì, 20 aprile 2015 19:19:13
> Oggetto: Re: [Oisf-users] file truncated
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I had the exact same problem Miso did because I missed an off-load setting.
>
> Miso, as a sanity check could you run 'ethtool -k' on your monitor
> interface and copy the results here?
>
> - -Coop
>
> On 4/20/2015 10:15 AM, Peter Manev wrote:
>> NIC offloading is already included in the wiki link that Miso
>> mentioned he followed -
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>> (plus all offloading should be disabled by default in selks  - only
>> for eth0 though)
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJVNTUQAAoJEKIFRYQsa8FWmyMIAI2oPFTZaxY3oBqGHcIwfkIb
> xxZTEF3tp73OaY0tV3Mz6nKqK28CduZThkDT4fCtPHI2i1pxOOwJQqZmRCg+a5Pw
> RSPa9pqA9p492Y94a7sAyq6B9LDZ8KDFNNvKOpXmIIDec+27Kj5OgOlLNGg7bjMn
> Zzj44vta4sPONprkpUvEHUYbSSrH/wE70NlI1hmoKObu4RfJMUIJtIrOgInNIxue
> L/pd+VWsBubrzFJ4iSUoGVbs5XTmhVbDShGUfQnvsTy6fZqI4KEe4uB/e6eyVC6f
> onMY0RGejIp6nE9w9QRCxz0nKzCQM0021pQnIXxTMwM9p0ZM7/bmZC3JGVVD4IQ=
> =2jWR
> -----END PGP SIGNATURE-----



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list