[Oisf-users] packet loss troubleshooting
Brandon Lattin
latt0050 at umn.edu
Wed Dec 9 21:13:54 UTC 2015
Keep in mind that large flows can induce bursty packetloss.
For instance, a perfSonar network monitoring device will test bandwidth by
shoving many gigabytes of max MTU null padded packets through the pipe to a
remote perfSonar box. This will result in the whole stream being buffered
and fed to a single core due to tuple hashing. Chances are good that your
buffer won't flush fast enough and you'll start dropping packets.
Long story short. Know your traffic. See what netflow has to say.
On Wed, Dec 9, 2015 at 1:51 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Let it run for a bit. There is race condition somewhere that causes
> suricata to drop packets when its starting up and large buffers are
> enabled. Or, at least there is on my config.
>
> Aside from that, try running a "top-talkers" report to see if is any
> traffic you can filter out. Just dropping our local Netflix/Youtube
> caches doubled our capacity.
>
> - -Coop
>
> On 12/9/2015 11:32 AM, Yasha Zislin wrote:
> > I use PF_RING.
> >
> > Changing these net.core buffers actually made it worse. Packet loss is
> > instant with 30%.
> > These are what my defaults are:
> > net.core.wmem_default = 124928
> > net.core.rmem_default = 124928
> > net.core.netdev_max_backlog = 1000
> >
> > I have 10 gig NIC as well. Not that busy pipe. About 1 million packets a
> > minute.
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWaIZLAAoJEKIFRYQsa8FWnhMH/Ag8+EPGSdtigG7eXED0K2hG
> h8ZyMn5GTWgz6cAS62EED8RS8ot6Q8FRBNrOf7Yd87jytdSMUN+FuzWRLheGP615
> 944UuMm66oJgtMfINRTZTsEubnnS7NYVMexTBMzhU+Y7qbZo6qTupx1S7ULtidHC
> mvdBmWyf7IJex9ccGyBhwjDYJqMLkK0ThDkfJlMUN3fm5MhYyri94y9y2XI+aYtL
> CrteDmXDvOZ63mWGQdS+WDNv/0UNpkTSlGBV0mZs4KWRa3bSiAY2aheoMAnMjgyW
> RopmFif6dzHN8eAjfce+70R0KZFgtBMCKL/9VOIGFmCpv5JHe+zvY3ainZ3ePgk=
> =7DOe
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
--
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151209/ef279841/attachment-0002.html>
More information about the Oisf-users
mailing list