[Oisf-users] packet loss troubleshooting

Cooper F. Nelson cnelson at ucsd.edu
Wed Dec 9 17:03:33 UTC 2015

Hash: SHA1

I use AF_PACKET + mmap mode, as described here:

> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/

This is my config for a 16 core server.  Using af-packet mode and large
buffers is the best way to mitigate packet drops in my experience.

> af-packet:
>   - interface: eth2
>     threads: 16
>     cluster-id: 99
>     cluster-type: cluster_flow
>     defrag: yes
>     use-mmap: yes
>     ring-size: 500000
>     use-emergency-flush: yes
>     buffer-size: 1048576
>     checksum-checks: kernel

To answer your question, you can drop packets anywhere.  I believe if
you see kernel drops that means you could be losing packets from the NIC
- -> kernel or from the kernel -> suricata.  Increasing the sysctl
parameters mitigates the former.  Increasing suricata's buffers
mitigates the latter.

Here is my config for a heavily utilized 10Gbit tap:

> net.core.netdev_max_backlog = 8000000
> net.core.rmem_default = 1073741824
> net.core.rmem_max = 1073741824

Make sure you make them permanent with 'sysctl -p' if you change them.

- -Coop

On 12/9/2015 5:36 AM, Yasha Zislin wrote:
> I am at about 10% now. So this is not good.
> So whenever I see capture.kernel_drops this is always OS or NIC problem?
> Suricata itself has nothing to do with it, right?
> I guess once I start seeing kernel drops, reassembly gaps start to
> increase. Is that correct as well?
> I am not an expert on net.core.* buffers. Can you advise on which ones i
> need to increase or how to find out which ones I need to increase?
> Thank you.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list