[Oisf-users] Suricata load/latency spikes

robert.jamison at bt.com robert.jamison at bt.com
Mon Jun 29 16:36:21 UTC 2015 

If you are going to install a parallel instance, you might think about engaging the SCLogDebug statements the DNS source files [app-layer-dns-common.c, app-layer-dns-udp.c, app-layer-dns-tcp.c].  Looking through the configuration,--enable-debug on compilation is going to open up a wealth of logging.  These include:

	app-layer-dns-common.c
		DNSGetTx
			Tx-> tx_num, tx_id+1
			Returning tx
		DNSSetEvent
			s->curr->decoder_events
			couldn't set event
		and ~20 more like "not a request", Z flag not 0, etc.... in app-layer-dns-common.c alone.	

-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Peter Manev
Sent: Monday, June 29, 2015 12:09 PM
To: Oliver Humpage
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata load/latency spikes



> On 29 jun 2015, at 18:04, Oliver Humpage <oliver at watershed.co.uk> wrote:
> 
> 
>> On 29 Jun 2015, at 16:03, Victor Julien <lists at inliniac.net> wrote:
>> 
>> Enabling packet profiling (configure with --enable-profiling) gives 
>> you a break down of where suricata spends most time in the packet 
>> path, broken down by protocol.
> 
> Ah, good idea. I've set my router to grab a few thousand packets to a pcap file whenever ping latency goes up to over 100ms.
> 
> I guess I should install a profiling-enabled suricata on a different machine to analyse the files, so as not to let profiling affect the performance of the main router?

Highly advisable indeed(at least as a first step) since the profiling affects performance - but not sure if reading a pcap can pinpoint the issue you are experiencing 100%.

> 
> Oliver.
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: 
> http://oisfevents.net
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list