[Oisf-users] Packets errors

Yasha Zislin coolyasha at hotmail.com
Mon Feb 23 22:19:48 UTC 2015 

That percentage doesnt match what Suricata reports on packet loss. At the same time it is also very small which is ok.The problem I've noticed is that after some time I had suricata partially freeze and have small detection rate. I've noticed this after upgrading to 2.0.6. When I tried to restart it, it failed to start with error "failed to initialize" one of PF RING interfaces. After I killed it manually, it is working. Just trying to be proactive.
If you these errors on interface cannot cause anything like that, then something else is.

> Date: Mon, 23 Feb 2015 23:13:50 +0100
> From: petermanev at gmail.com
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Packets errors
> 
> 
> 
> On 02/23/2015 02:54 PM, Yasha Zislin wrote:
> > I am using latest release of Suricata (2.0.6) to monitor two span ports on one server. I am using PF_RING with 20 detection threads for each SPAN port. I have finally tweaked my various memory buffers in suricata config to eliminate packet loss almost to zero. 
> > Recently I've noticed some strange info from running ifconfig. Both of my span ports report errors like theses:RX packets:561843496193 errors:3438084 dropped:0 overruns:3438082 frame:2
> 
> From the info provided - errors are 0.00061% of packets - is it really
> that critical in your case?
> 
> 
> > Not sure what the errors and overruns mean and how can I improve that?
> 
> http://www.tldp.org/LDP/nag2/x-087-2-iface.ifconfig.html
> 
> > The only thing I can think of is this: ethtool -C eth0 rx-usecs 500
> > That's what I am using. I was using a value of 1000 and changing to 500 seemed to make it better with packet loss. But setting it to 1 makes it worse.
> > Ideas?
> > Thank you. 		 	   		  
> > 
> > 
> > 
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
> > 
> 
> -- 
> 
> Regards,
> Peter Manev
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150223/a19bdb06/attachment-0002.html>

More information about the Oisf-users mailing list