[Oisf-users] decoder.invalid count

Spransy, Derek dsprans at emory.edu
Wed Nov 25 15:50:02 UTC 2015

I believe that everything is off that should be. I run a script at startup which the following:

for i in rx tx sg tso ufo gso gro lro; 
	do /usr/sbin/ethtool -K enp2s0f0 $i off; 

Here's the current output of ethtool -k:

Features for enp2s0f0:
rx-checksumming: off
tx-checksumming: off
	tx-checksum-ipv4: off
	tx-checksum-ip-generic: off [fixed]
	tx-checksum-ipv6: off
	tx-checksum-fcoe-crc: on [fixed]
	tx-checksum-sctp: off
scatter-gather: off
	tx-scatter-gather: off
	tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
	tx-tcp-segmentation: off
	tx-tcp-ecn-segmentation: off [fixed]
	tx-tcp6-segmentation: off
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: on
highdma: on [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: on [fixed]
tx-gre-segmentation: off [fixed]
tx-ipip-segmentation: off [fixed]
tx-sit-segmentation: off [fixed]
tx-udp_tnl-segmentation: on
tx-mpls-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
busy-poll: on [fixed]
From: Victor Julien <lists at inliniac.net>
Sent: Wednesday, November 25, 2015 10:32 AM
To: Spransy, Derek; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] decoder.invalid count

On 23-11-15 20:09, Spransy, Derek wrote:
> Thanks Julien, that's very useful information. What I found is that we're matching "SURICATA IPv4 truncated packet" over and over again. When I take a look at the packets in question I see that the length field is set to 05 F1 (1521), which doesn't match the actual length of the packets at all. So now I have to talk to our network folks to find out what's going on there.

Most likely cause is interface offloading, did you disable those with

> When the decoder detects this situation is the packet/stream subsequently discarded, or does processing of the packet continue?

They are discarded.


> ________________________________________
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
> Sent: Monday, November 23, 2015 1:05 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] decoder.invalid count
> On 23-11-15 16:30, Spransy, Derek wrote:
>> I'm troubleshooting a very high decoder.invalid count on my sensor;
>> nearly 35%. My kernel drop count is less than 1% and we seem to be
>> generating about the number of alerts that I would expect. I'm not able
>> to find much in the way of documentation that explains what may lead to
>> a packet being marked as invalid in Suricata. The only thing I've found
>> so far is advice to make sure that the interface MTU and Suricata.yaml
>> MTU settings match (which they do) and ensure that the MTU is large
>> enough for packets being seen on that interface (it is). I even tried to
>> increase the MTU to 9026 without any difference. Can anyone point me in
>> the direction of other factors that could be at work here?
> All the reasons for incrementing this counter should be matchable
> through the decoder-events.rules we ship. Enable this file to find out more.
> --
> ---------------------------------------------
> Victor Julien
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2f&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=q%2bpfbIJNSbTxm%2fHtxGU9TzJsyAiQzmosA%2f4kQAFmPmM%3d
> PGP: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2fvictorjulien.asc&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=NO%2fau3YOizZ2T5%2bf4Onv2tT437fBY2w8nKsoCu%2bF2UE%3d
> ---------------------------------------------
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=mNtdL6oyg0dmUs0s1ZgH9O6GTv0%2btRBadqTre%2bJJFtY%3d | Support: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org%2fsupport%2f&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=rMi2kqTscpqH4M64b31aq5qvwONJ5FwYk6%2fjMg9SHuA%3d
> List: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.openinfosecfoundation.org%2fmailman%2flistinfo%2foisf-users&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=BcqZo1JE0MmbTIgYfTF9jKpowvJnGWoMrlnAWxOJ4J4%3d
> Suricata User Conference November 4 & 5 in Barcelona: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2foisfevents.net&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=mDwVW4OPwZfAw2pp5TcD%2f2iQsaxcnrifOTOvkucsEq0%3d
> ________________________________
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).

Victor Julien
PGP: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2fvictorjulien.asc&data=01%7c01%7cdsprans%40emory.edu%7c028378f05caf457378c408d2f5adb262%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=bP3fe6jGU3lAo3OPSFy%2fQBGVHuNsSZ8vxhjnzZdJ%2bTI%3d

More information about the Oisf-users mailing list