[Oisf-users] EXTERNAL: Very large packet loss on Suricata 2.1beta4 and Myricom 3.0.1

Thu Jul 23 13:48:31 UTC 2015

Hello Michal,

Have you tried raising the data and descriptor ring sizes from the default? 
Look at this article for reference:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Myricom

Zach

________________________
Zach Rasmor
Email: zachary.r.rasmor at lmco.com
Office: 301.240.6116

-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org 
[mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of 
Michal Purzynski
Sent: Wednesday, July 22, 2015 8:06 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: EXTERNAL: [Oisf-users] Very large packet loss on Suricata 2.1beta4 
and Myricom 3.0.1

Hello. I have a huge packet loss on Suricata 2.1beta with a Myricom card.

myri_counters
Board <mac address here> with 1 ports
            Lanai uptime (seconds):                10044
         Counters uptime (seconds):                 4162
                   Net send KBytes:                   30
                   Net recv KBytes:           2460199492
                     Ethernet send:                  139
               Ethernet Small recv:                    0
                 Ethernet Big recv:                    0
                Ethernet recv down:                    0
             Ethernet recv overrun:                    0
                     SNF send pkts:                    0
                     SNF recv pkts:           2296703112
                SNF drop ring full:           1429384496
                        Interrupts:             10216972
            Net bad PHY/CRC32 drop:                    1
                 Net overflow drop:                    0
                   Net Recv PAUSEs:                    0
    Ethernet Multicast filter drop:                    0
      Ethernet Unicast filter drop:                    0

Look at the SNF drop ring full - it's like 60%

Suricata has been build against the Myricom libpcap

libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007fcfd3d8d000)
libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007fcfd21e1000)

The configuration file is attached.

A bit about the hardware

Intel(R) Xeon(R) CPU E5-2697 v3 @ 2.60GHz two cpus, total 28 physical cores 
128GB RAM Single port Myricom, with drivers in version 3.0.1 ET Pro rules, 
around 15 000 of them with 15 000 IP addresses in reputation lists

What I have tried?

- changing the number of workers, to 16 / 26 / 28 / 32
- removing ip reputation
- removing all local rules
- removing ALL (!!) rules

Nothing helped.

It is quite interesting - with no rules Suricata still has between 60-90% 
packet loss.

The machine is not oversubscribed, quite the opposite - I see 2-3 cores being 
busy (and sometimes just one) most of the time.

I have between 6-10Gbits of traffic, with some spikes.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 11767 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150723/83f1d32a/attachment-0002.bin>