[Oisf-users] packet loss troubleshooting

Yasha Zislin coolyasha at hotmail.com
Thu Dec 10 13:09:08 UTC 2015


After running with lower values for about half a day, I still get 30% loss.I ran your command and got this as an output:100000 packets captured100000 packets received by filter0 packets dropped by kernel  38278 ...
This sensor does not see netflix/youtube traffic. 
What would be the best tool that you recommend to profile my traffic?
Thanks.
> Subject: Re: [Oisf-users] packet loss troubleshooting
> To: latt0050 at umn.edu
> CC: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> From: cnelson at ucsd.edu
> Date: Wed, 9 Dec 2015 13:24:45 -0800
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I use this script to troubleshoot "live" performance issues on our sensor.
> 
> > #!/bin/bash
> > 
> > sudo tcpdump -tnn -c 100000 -i eth2 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '
> 
> Adjust the interface and packet count (-c) as necessary for your system.
> 
> In our case, it turned out about 1/3 of our network traffic originates
> from a single /24 on our ISP that uses for host CDN servers (like
> Netflix).
> 
> - -Coop
> 
> On 12/9/2015 1:13 PM, Brandon Lattin wrote:
> > Keep in mind that large flows can induce bursty packetloss.
> > 
> > For instance, a perfSonar network monitoring device will test bandwidth
> > by shoving many gigabytes of max MTU null padded packets through the
> > pipe to a remote perfSonar box. This will result in the whole stream
> > being buffered and fed to a single core due to tuple hashing. Chances
> > are good that your buffer won't flush fast enough and you'll start
> > dropping packets. 
> > 
> > Long story short. Know your traffic. See what netflow has to say.
> 
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> 
> iQEcBAEBAgAGBQJWaJwdAAoJEKIFRYQsa8FWkN4H/24Az++Su5kP5kkcdv56A1qy
> ljlfHBs3dJenU1PalBF2kBMlSBcN6SZSBpGXdlzIiLtNfCUlXO/uEX3KnNwgknRP
> y2y08mAvL9V1l9COtV8k+aLvSO4tps16JTAPG47YkC2NAesIoSlS9wJOmzKvYoTD
> cokPPLZbncgI58S4BHk53W+kwIrueUQ2PF6QfCyTei9+StVKyHbwDJnSs65GxYWx
> fPmiGblBh6yfZ0fQSSYpBnjFLMGYcATtzPJVNQ1xDY/L5cYnLuEg4Q9oYDTIB0C1
> wlrCZp9HvSGh93Nr/SM6GdH2vpzUuLSnwdtHsFbZVWbuooC+ymSc8cttYtSsHfw=
> =oNwY
> -----END PGP SIGNATURE-----
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151210/7c99765f/attachment-0002.html>


More information about the Oisf-users mailing list