[Oisf-users] Suricata load/latency spikes
Oliver Humpage
oliver at watershed.co.uk
Mon Jul 13 14:49:11 UTC 2015
On 9 Jul 2015, at 17:24, Victor Julien <lists at inliniac.net> wrote:
> It's likely the stream engine rejecting some packets. To test this, you
> can set "inline" in your stream section to "false".
>
> If this would solve it, I would love to see a pcap recording of when it
> fails. It would mean a stream engine bug :)
Alas, "inline: false" didn't fix it. I'm none the wiser as to why the drops are happening, but I now have netmap mode working so I'm going to put this one down to "random weirdness" and leave it at that.
(With Aleksy's help, I got netmap working, and it's nearly twice as fast as ipfw+divert. Turns out you need to a) put ESXi vSwitches into "promiscuous" mode for netmap to work in a virtualised environment, and b) put suricata into "workers" runmode for suricata to work. I think Aleksy is fixing the latter, and he's also working on a feature enhancement to the netmap code that should mean no-one ever has to use ipfw/divert ever again!)
Oliver.
More information about the Oisf-users
mailing list