[Oisf-users] packet loss troubleshooting
Yasha Zislin
coolyasha at hotmail.com
Wed Dec 9 19:32:03 UTC 2015
I use PF_RING.
Changing these net.core buffers actually made it worse. Packet loss is instant with 30%.These are what my defaults are:net.core.wmem_default = 124928net.core.rmem_default = 124928net.core.netdev_max_backlog = 1000
I have 10 gig NIC as well. Not that busy pipe. About 1 million packets a minute.
> Subject: Re: [Oisf-users] packet loss troubleshooting
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> From: cnelson at ucsd.edu
> Date: Wed, 9 Dec 2015 09:03:33 -0800
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I use AF_PACKET + mmap mode, as described here:
>
> > https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>
> This is my config for a 16 core server. Using af-packet mode and large
> buffers is the best way to mitigate packet drops in my experience.
>
> > af-packet:
> > - interface: eth2
> > threads: 16
> > cluster-id: 99
> > cluster-type: cluster_flow
> > defrag: yes
> > use-mmap: yes
> > ring-size: 500000
> > use-emergency-flush: yes
> > buffer-size: 1048576
> > checksum-checks: kernel
>
> To answer your question, you can drop packets anywhere. I believe if
> you see kernel drops that means you could be losing packets from the NIC
> - -> kernel or from the kernel -> suricata. Increasing the sysctl
> parameters mitigates the former. Increasing suricata's buffers
> mitigates the latter.
>
> Here is my config for a heavily utilized 10Gbit tap:
>
> > net.core.netdev_max_backlog = 8000000
> > net.core.rmem_default = 1073741824
> > net.core.rmem_max = 1073741824
>
> Make sure you make them permanent with 'sysctl -p' if you change them.
>
> - -Coop
>
> On 12/9/2015 5:36 AM, Yasha Zislin wrote:
> > I am at about 10% now. So this is not good.
> > So whenever I see capture.kernel_drops this is always OS or NIC problem?
> > Suricata itself has nothing to do with it, right?
> > I guess once I start seeing kernel drops, reassembly gaps start to
> > increase. Is that correct as well?
> >
> > I am not an expert on net.core.* buffers. Can you advise on which ones i
> > need to increase or how to find out which ones I need to increase?
> >
> > Thank you.
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWaF7lAAoJEKIFRYQsa8FWwbcH/2fBw4xfEM+etnn77y+Hqc6c
> PEHtZarvr4HZRQlnZ2NICt9seCfw60sEOIeduiv7nOOAjw4nU/B/xndeyj9b+Ls4
> 02+GUh9q4M4Sh0VV0KhMI/eaYMHMnBpjDOkZPzRBpcjcua/KHQEZFe6tCA5v7KWT
> qiFYSoxDtmm+jUETBtt07rWX+WM3Bdp8M4MnCT1rA6zqIUBqqjiylFisBWcAJjuN
> vCd6jD/XhcTHUSjrAkz5F9p+59isztip0H0XsO91JsTTCka/1+5mG0nIUpaRR/3c
> DTclbxfCz3joJ1DLFSUpDmr/R09TTkgAIKBSh3NHrdEhEPmbGJywAzqGpRoLpfE=
> =o07w
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151209/8df19eaf/attachment-0002.html>
More information about the Oisf-users
mailing list