[Oisf-users] packet loss troubleshooting
Yasha Zislin
coolyasha at hotmail.com
Wed Dec 9 13:36:15 UTC 2015
I am at about 10% now. So this is not good.So whenever I see capture.kernel_drops this is always OS or NIC problem? Suricata itself has nothing to do with it, right?I guess once I start seeing kernel drops, reassembly gaps start to increase. Is that correct as well?
I am not an expert on net.core.* buffers. Can you advise on which ones i need to increase or how to find out which ones I need to increase?
Thank you.
> Subject: Re: [Oisf-users] packet loss troubleshooting
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> From: cnelson at ucsd.edu
> Date: Tue, 8 Dec 2015 12:22:53 -0800
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You are dropping packets in the kernel.
>
> If you do the math this is actually a 0.64%; which is under 1% and
> considered normal. You can try increasing your net.core.* buffers via
> sysctl, but in my experience suricata will always drops packets when
> being started or under a DOS/packet-flood scenario.
>
> As long as drops are under 1% over long periods you should be fine.
>
> - -Coop
>
> On 12/8/2015 7:14 AM, Yasha Zislin wrote:
> > I am trying to narrow down good config to reduce packet loss. It seems
> > that it is related to reassembly of streams.
> > I keep getting reassembly gaps and therefore packet loss. Here is an
> > example stats.log
> > capture.kernel_packets | RxPFReth02 | 455937792
> > capture.kernel_drops | RxPFReth02 | 2921250
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWZzwdAAoJEKIFRYQsa8FWswUIAIvugaIlM7I/Z9rAW2HKB/1D
> eLWsppn43PKHZhxNhcjl6GEWOrkcubi/E/Uh7dJNX4kyHek1Ee2H5cxeYRgQB2QB
> 2TD2gvoYsTHVcrIafg4i8vVYMbc6vHcJ0FD0s6uc5tBCCItJwwabCzCiCwuJn+gg
> k0U2UKMnl0w80Xa7mLBBfxVZvFg0DNRPVTSBs5xVIiX9wUGupCCP8UhqI2bWAu68
> QDcEaOwfwAJAYEai1lNX6RS8UG4HbRRwCB24E35kj71DUdColeYQs9tQcAD2oAQE
> i1Nbky9Wq1UPQ4MNM9nRM+yuFsjzEwof1KMbfToSyJcD5KxTtLwbgTq2n9kQmnE=
> =zN9b
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151209/3b709e3f/attachment-0002.html>
More information about the Oisf-users
mailing list