[Oisf-users] packet loss troubleshooting
Yasha Zislin
coolyasha at hotmail.com
Wed Dec 9 14:00:52 UTC 2015
Just to add some info to this.ifconfig does not report any dropped packets./proc/net/pf_ring/xxx-eth0.1 reports packet drops. I assume Suricata gets that stat from there.ethtool -S eth0 has the following:NIC statistics: rcvd bad skb: 0 xmit called: 0 xmited frames: 0 xmit finished: 0 bad skb len: 0 no cmd desc: 0 polled: 0 uphappy: 3869414 updropped: 0 tx dropped: 0 csummed: 0 no rcv: 7281014949 rx bytes: 4439217322357 lro pkts: 0 tx bytes: 0 lso pkts: 0
Thank you
From: coolyasha at hotmail.com
To: cnelson at ucsd.edu; oisf-users at lists.openinfosecfoundation.org
Date: Wed, 9 Dec 2015 13:36:15 +0000
Subject: Re: [Oisf-users] packet loss troubleshooting
I am at about 10% now. So this is not good.So whenever I see capture.kernel_drops this is always OS or NIC problem? Suricata itself has nothing to do with it, right?I guess once I start seeing kernel drops, reassembly gaps start to increase. Is that correct as well?
I am not an expert on net.core.* buffers. Can you advise on which ones i need to increase or how to find out which ones I need to increase?
Thank you.
> Subject: Re: [Oisf-users] packet loss troubleshooting
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> From: cnelson at ucsd.edu
> Date: Tue, 8 Dec 2015 12:22:53 -0800
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You are dropping packets in the kernel.
>
> If you do the math this is actually a 0.64%; which is under 1% and
> considered normal. You can try increasing your net.core.* buffers via
> sysctl, but in my experience suricata will always drops packets when
> being started or under a DOS/packet-flood scenario.
>
> As long as drops are under 1% over long periods you should be fine.
>
> - -Coop
>
> On 12/8/2015 7:14 AM, Yasha Zislin wrote:
> > I am trying to narrow down good config to reduce packet loss. It seems
> > that it is related to reassembly of streams.
> > I keep getting reassembly gaps and therefore packet loss. Here is an
> > example stats.log
> > capture.kernel_packets | RxPFReth02 | 455937792
> > capture.kernel_drops | RxPFReth02 | 2921250
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWZzwdAAoJEKIFRYQsa8FWswUIAIvugaIlM7I/Z9rAW2HKB/1D
> eLWsppn43PKHZhxNhcjl6GEWOrkcubi/E/Uh7dJNX4kyHek1Ee2H5cxeYRgQB2QB
> 2TD2gvoYsTHVcrIafg4i8vVYMbc6vHcJ0FD0s6uc5tBCCItJwwabCzCiCwuJn+gg
> k0U2UKMnl0w80Xa7mLBBfxVZvFg0DNRPVTSBs5xVIiX9wUGupCCP8UhqI2bWAu68
> QDcEaOwfwAJAYEai1lNX6RS8UG4HbRRwCB24E35kj71DUdColeYQs9tQcAD2oAQE
> i1Nbky9Wq1UPQ4MNM9nRM+yuFsjzEwof1KMbfToSyJcD5KxTtLwbgTq2n9kQmnE=
> =zN9b
> -----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151209/016aa5ac/attachment-0002.html>
More information about the Oisf-users
mailing list