[Oisf-users] Out of band 10Gb Suricata
Brian Hennigar
bhennigar at gmail.com
Wed Oct 14 17:34:09 UTC 2015
Hi,
I'm testing using Suricata with 10Gb fiber with out of band span ports (not
inline) and have noticed a high volume of packet loss. Are there any best
practices for using 10Gb when NOT inline?
I'm testing, I'm using esxi 5.5 and a ubuntu 14.04 VM and vmxnet3 network
adapters. The vm has 64gb ram and 8 cores. All offloading options are
disabled on the interface.
*From stats.log*
capture.kernel_packets | RxPcapeth71 | 10498699
capture.kernel_drops | RxPcapeth71 | 8892234
capture.kernel_ifdrops | RxPcapeth71 | 73
*From suricata.yaml*
stream:
memcap: 14gb
checksum-validation: no # reject wrong csums
inline: no # auto will use inline mode in IPS mode, yes
or no set it statically
reassembly:
memcap: 20gb
depth: 64mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
Thanks!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151014/ca282b29/attachment.html>
More information about the Oisf-users
mailing list