[Oisf-users] Disable offloading on bond interface

Peter Manev petermanev at gmail.com
Thu Feb 5 21:13:27 UTC 2015

On Thu, Feb 5, 2015 at 1:23 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Hash: SHA1
> I think it depends how you are using suricata.
> If you are using it in inline mode, then it might make sense to leave
> the offloading on as it could improve performance.

It also depends if on the particular set up I would suspect - if you
are using some  HW acceleration or commodity(off the shelf) NICs and
so on.

> If you are using suricata in monitor mode, you want all offloading
> disabled.  It's very important that suricata gets the packets exactly as
> they were off the wire.
> - -Coop
> On 2/5/2015 7:04 AM, unite wrote:
>> So, probably I didn't get it well.
>> I've read that if I don't disable nic offloading on the interface it
>> might cause checksum errors so suricata might drop legitimate traffic,
>> so as I understood for best results I have two options - disable nic
>> offloading or disable checksum verifying in suricata. Also offloading
>> needs to be disabled if I want to use file extraction feature.
>> So if I don't need file extraction at the moment, can I just disable
>> checksum verifying and it will work all right? Won't it affect
>> performance/security?
>> Also, does disabling nic offloading affect CPU usage?
>> On 2015-01-28 18:42, Cooper F. Nelson wrote:
>> As I said, this is as far as I know.  It's been a few years since I've
>> done anything with a bonded interface.
>> It's kind of tricky to test if this works or not.  What I've found is
>> that if file extraction doesn't work then your offloading settings are
>> not disabled properly.  I'm sure this would also cause lots of decoder
>> events if you had those rules enabled.
>> On 1/28/2015 1:30 AM, unite wrote:
>>>>> I've tried disabling offloading on my test machine in three scenarios:
>>>>> 1) on physical interfaces (eth0 eth1)
>>>>> In this case "ethtool -k" for eth0/eth1 shows that offloading features
>>>>> are disabled, but "ethtool -k bond0"  still shows some of them enabled.
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> YZg0L8BfkdkQepRXC+jcy1v2G2kFbCRVfdAJqYwdT9CQ1vVATopBt1JWX1F4wwPj
> FjgdFZF7MqaU4A5z457P2QHqcYcwiu+ouVRLSHvfrAkrKN3inpg5KDiFKqSRINFb
> dvPsGgTupfA0M0boggfT88gWVjYCnZG8b3Q9lL5RDCnOO996iIDwalgjbgFck1pu
> oVD3BKRT59NbcJIDpG40F6Rl4wDW5ahBgIhU+CHWcoK7MoRr3pr+PaXw5bswN3Dz
> +MlRouwlzUCrGp2DOLMFNh1uzdse6Usfin2uzmBJPK7KzOyAkrvZ8JVJhH+8Z9w=
> =K1Wt
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

Peter Manev

More information about the Oisf-users mailing list