[Oisf-users] packet loss troubleshooting
Peter Manev
petermanev at gmail.com
Thu Dec 17 00:27:56 UTC 2015
On Thu, Dec 10, 2015 at 2:09 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> After running with lower values for about half a day, I still get 30% loss.
> I ran your command and got this as an output:
> 100000 packets captured
> 100000 packets received by filter
> 0 packets dropped by kernel
> 38278 ...
>
> This sensor does not see netflix/youtube traffic.
>
> What would be the best tool that you recommend to profile my traffic?
You can try - iptraf - it will give you an idea by proto/port/pps breakdowns.
What is your max pending packets value in suricata.yaml?
Do you have VLANs in your traffic?
What is the output of - modinfo pf_ring && cat /proc/net/pf_ring/info ?
>
> Thanks.
>
>> Subject: Re: [Oisf-users] packet loss troubleshooting
>> To: latt0050 at umn.edu
>> CC: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
>> From: cnelson at ucsd.edu
>> Date: Wed, 9 Dec 2015 13:24:45 -0800
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I use this script to troubleshoot "live" performance issues on our sensor.
>>
>> > #!/bin/bash
>> >
>> > sudo tcpdump -tnn -c 100000 -i eth2 | awk -F "." '{print
>> > $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '
>>
>> Adjust the interface and packet count (-c) as necessary for your system.
>>
>> In our case, it turned out about 1/3 of our network traffic originates
>> from a single /24 on our ISP that uses for host CDN servers (like
>> Netflix).
>>
>> - -Coop
>>
>> On 12/9/2015 1:13 PM, Brandon Lattin wrote:
>> > Keep in mind that large flows can induce bursty packetloss.
>> >
>> > For instance, a perfSonar network monitoring device will test bandwidth
>> > by shoving many gigabytes of max MTU null padded packets through the
>> > pipe to a remote perfSonar box. This will result in the whole stream
>> > being buffered and fed to a single core due to tuple hashing. Chances
>> > are good that your buffer won't flush fast enough and you'll start
>> > dropping packets.
>> >
>> > Long story short. Know your traffic. See what netflow has to say.
>>
>>
>> - --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu x41042
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iQEcBAEBAgAGBQJWaJwdAAoJEKIFRYQsa8FWkN4H/24Az++Su5kP5kkcdv56A1qy
>> ljlfHBs3dJenU1PalBF2kBMlSBcN6SZSBpGXdlzIiLtNfCUlXO/uEX3KnNwgknRP
>> y2y08mAvL9V1l9COtV8k+aLvSO4tps16JTAPG47YkC2NAesIoSlS9wJOmzKvYoTD
>> cokPPLZbncgI58S4BHk53W+kwIrueUQ2PF6QfCyTei9+StVKyHbwDJnSs65GxYWx
>> fPmiGblBh6yfZ0fQSSYpBnjFLMGYcATtzPJVNQ1xDY/L5cYnLuEg4Q9oYDTIB0C1
>> wlrCZp9HvSGh93Nr/SM6GdH2vpzUuLSnwdtHsFbZVWbuooC+ymSc8cttYtSsHfw=
>> =oNwY
>> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list