[Oisf-users] Very large packet loss on Suricata 2.1beta4 and Myricom 3.0.1
Michał Purzyński
michalpurzynski1 at gmail.com
Thu Jul 23 00:05:58 UTC 2015
Hello. I have a huge packet loss on Suricata 2.1beta with a Myricom card.
myri_counters
Board <mac address here> with 1 ports
Lanai uptime (seconds): 10044
Counters uptime (seconds): 4162
Net send KBytes: 30
Net recv KBytes: 2460199492
Ethernet send: 139
Ethernet Small recv: 0
Ethernet Big recv: 0
Ethernet recv down: 0
Ethernet recv overrun: 0
SNF send pkts: 0
SNF recv pkts: 2296703112
SNF drop ring full: 1429384496
Interrupts: 10216972
Net bad PHY/CRC32 drop: 1
Net overflow drop: 0
Net Recv PAUSEs: 0
Ethernet Multicast filter drop: 0
Ethernet Unicast filter drop: 0
Look at the SNF drop ring full - it's like 60%
Suricata has been build against the Myricom libpcap
libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007fcfd3d8d000)
libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007fcfd21e1000)
The configuration file is attached.
A bit about the hardware
Intel(R) Xeon(R) CPU E5-2697 v3 @ 2.60GHz two cpus, total 28 physical cores
128GB RAM
Single port Myricom, with drivers in version 3.0.1
ET Pro rules, around 15 000 of them with 15 000 IP addresses in reputation lists
What I have tried?
- changing the number of workers, to 16 / 26 / 28 / 32
- removing ip reputation
- removing all local rules
- removing ALL (!!) rules
Nothing helped.
It is quite interesting - with no rules Suricata still has between
60-90% packet loss.
The machine is not oversubscribed, quite the opposite - I see 2-3
cores being busy (and sometimes just one) most of the time.
I have between 6-10Gbits of traffic, with some spikes.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 36548 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150723/0d3306fa/attachment-0001.obj>
More information about the Oisf-users
mailing list