[Oisf-users] packet loss troubleshooting

Yasha Zislin coolyasha at hotmail.com
Wed Dec 9 14:00:52 UTC 2015 

Just to add some info to this.ifconfig does not report any dropped packets./proc/net/pf_ring/xxx-eth0.1 reports packet drops. I assume Suricata gets that stat from there.ethtool -S eth0 has the following:NIC statistics:     rcvd bad skb: 0     xmit called: 0     xmited frames: 0     xmit finished: 0     bad skb len: 0     no cmd desc: 0     polled: 0     uphappy: 3869414     updropped: 0     tx dropped: 0     csummed: 0     no rcv: 7281014949     rx bytes: 4439217322357     lro pkts: 0     tx bytes: 0     lso pkts: 0
Thank you
From: coolyasha at hotmail.com
To: cnelson at ucsd.edu; oisf-users at lists.openinfosecfoundation.org
Date: Wed, 9 Dec 2015 13:36:15 +0000
Subject: Re: [Oisf-users] packet loss troubleshooting




I am at about 10% now. So this is not good.So whenever I see capture.kernel_drops this is always OS or NIC problem? Suricata itself has nothing to do with it, right?I guess once I start seeing kernel drops, reassembly gaps start to increase. Is that correct as well?
I am not an expert on net.core.* buffers. Can you advise on which ones i need to increase or how to find out which ones I need to increase?
Thank you.

> Subject: Re: [Oisf-users] packet loss troubleshooting
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> From: cnelson at ucsd.edu
> Date: Tue, 8 Dec 2015 12:22:53 -0800
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> You are dropping packets in the kernel.
> 
> If you do the math this is actually a 0.64%; which is under 1% and
> considered normal.  You can try increasing your net.core.* buffers via
> sysctl, but in my experience suricata will always drops packets when
> being started or under a DOS/packet-flood scenario.
> 
> As long as drops are under 1% over long periods you should be fine.
> 
> - -Coop
> 
> On 12/8/2015 7:14 AM, Yasha Zislin wrote:
> > I am trying to narrow down good config to reduce packet loss. It seems
> > that it is related to reassembly of streams.
> > I keep getting reassembly gaps and therefore packet loss. Here is an
> > example stats.log
> > capture.kernel_packets    | RxPFReth02                | 455937792
> > capture.kernel_drops      | RxPFReth02                | 2921250
> 
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> 
> iQEcBAEBAgAGBQJWZzwdAAoJEKIFRYQsa8FWswUIAIvugaIlM7I/Z9rAW2HKB/1D
> eLWsppn43PKHZhxNhcjl6GEWOrkcubi/E/Uh7dJNX4kyHek1Ee2H5cxeYRgQB2QB
> 2TD2gvoYsTHVcrIafg4i8vVYMbc6vHcJ0FD0s6uc5tBCCItJwwabCzCiCwuJn+gg
> k0U2UKMnl0w80Xa7mLBBfxVZvFg0DNRPVTSBs5xVIiX9wUGupCCP8UhqI2bWAu68
> QDcEaOwfwAJAYEai1lNX6RS8UG4HbRRwCB24E35kj71DUdColeYQs9tQcAD2oAQE
> i1Nbky9Wq1UPQ4MNM9nRM+yuFsjzEwof1KMbfToSyJcD5KxTtLwbgTq2n9kQmnE=
> =zN9b
> -----END PGP SIGNATURE-----
 		 	   		  

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151209/016aa5ac/attachment-0002.html>

More information about the Oisf-users mailing list