[Oisf-users] Disable offloading on bond interface

Cooper F. Nelson cnelson at ucsd.edu
Thu Feb 5 18:23:34 UTC 2015

Hash: SHA1

I think it depends how you are using suricata.

If you are using it in inline mode, then it might make sense to leave
the offloading on as it could improve performance.

If you are using suricata in monitor mode, you want all offloading
disabled.  It's very important that suricata gets the packets exactly as
they were off the wire.

- -Coop

On 2/5/2015 7:04 AM, unite wrote:
> So, probably I didn't get it well.
> I've read that if I don't disable nic offloading on the interface it
> might cause checksum errors so suricata might drop legitimate traffic,
> so as I understood for best results I have two options - disable nic
> offloading or disable checksum verifying in suricata. Also offloading
> needs to be disabled if I want to use file extraction feature.
> So if I don't need file extraction at the moment, can I just disable
> checksum verifying and it will work all right? Won't it affect
> performance/security?
> Also, does disabling nic offloading affect CPU usage?
> On 2015-01-28 18:42, Cooper F. Nelson wrote:
> As I said, this is as far as I know.  It's been a few years since I've
> done anything with a bonded interface.
> It's kind of tricky to test if this works or not.  What I've found is
> that if file extraction doesn't work then your offloading settings are
> not disabled properly.  I'm sure this would also cause lots of decoder
> events if you had those rules enabled.
> On 1/28/2015 1:30 AM, unite wrote:
>>>> I've tried disabling offloading on my test machine in three scenarios:
>>>> 1) on physical interfaces (eth0 eth1)
>>>> In this case "ethtool -k" for eth0/eth1 shows that offloading features
>>>> are disabled, but "ethtool -k bond0"  still shows some of them enabled.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list