[Oisf-users] Disable offloading on bond interface

unite unite at openmailbox.org
Thu Feb 5 15:04:38 UTC 2015

So, probably I didn't get it well.

I've read that if I don't disable nic offloading on the interface it 
might cause checksum errors so suricata might drop legitimate traffic, 
so as I understood for best results I have two options - disable nic 
offloading or disable checksum verifying in suricata. Also offloading 
needs to be disabled if I want to use file extraction feature.

So if I don't need file extraction at the moment, can I just disable 
checksum verifying and it will work all right? Won't it affect 

Also, does disabling nic offloading affect CPU usage?

On 2015-01-28 18:42, Cooper F. Nelson wrote:
> Hash: SHA1
> As I said, this is as far as I know.  It's been a few years since I've
> done anything with a bonded interface.
> It's kind of tricky to test if this works or not.  What I've found is
> that if file extraction doesn't work then your offloading settings are
> not disabled properly.  I'm sure this would also cause lots of decoder
> events if you had those rules enabled.
> On 1/28/2015 1:30 AM, unite wrote:
>> I've tried disabling offloading on my test machine in three scenarios:
>> 1) on physical interfaces (eth0 eth1)
>> In this case "ethtool -k" for eth0/eth1 shows that offloading features
>> are disabled, but "ethtool -k bond0"  still shows some of them 
>> enabled.
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> WvP59leMHFjQHLvHhGuk3l2EzgljDp9OU3QKQF3odxajT4XEthZZEYH9x8urXgHN
> p5LoQSIce8mj8LDlKsBUjFEzlZcJTD22tIYrqG4xBd+1WsG6CVNduRf2Lwf84Tcw
> HOhYpPjTwCjAK673drR3ej7J2LrnYo1W8JD0tqrsqnA6jJkM6+dtLhk37fmw/tdm
> nXwkmdULM1yv7Xp+jKF0pSOIV5+qSXb/XisPHLLtp1tOT0UAX4UeoVcU3ilasoGF
> P29sOduI0ZAY+zKyFdm8SG05Sn15pXIiyAGVvY3awLebxQZyZL6/AJ0lT5JdutI=
> =s7j7

With kind regards,

More information about the Oisf-users mailing list