[Oisf-users] Suricata with PF_RING and IXGBE
Yasha Zislin
coolyasha at hotmail.com
Mon Feb 29 16:37:35 UTC 2016
I understand what you are saying but PF_RING claims that they have fixed this issue (if this is the same problem)
PF_RING-aware LibpcapFixed pcap_brekloop (tcpdump now handles sigterm correctly when there is no traffic)
Also, I have about 400 packets a minute. So you think that just one thread is working and others are idle with no traffic?
> To: oisf-users at lists.openinfosecfoundation.org
> From: lists at inliniac.net
> Date: Mon, 29 Feb 2016 17:24:43 +0100
> Subject: Re: [Oisf-users] Suricata with PF_RING and IXGBE
>
> On 29-02-16 15:52, Yasha Zislin wrote:
> > I have a weird problem. I have a bunch of sensors running in CentOS 6
> > with latest pf_ring and Suricata 2.1beta4.
> > Most of the sensors have HP fiber nics (10 gigs) for monitoring
> > interfaces but two of them have Intel 82599 (ixgbe).
> > One of these Intel sensors is active and the other is standby. Standby
> > barely has any traffic on monitored interface (about 400 packets a
> > minute which are all broadcast).
> > When I start suricata service on the standby, it is impossible to reload
> > rules or to stop it. On stop it eventually dies off with this message:
> > <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect
> > thread - "RxPFReth21". Killing engine
> >
> > I've flipped the active and standby to check if the server/hardware is
> > the problem. The issue moved to the other server when it became standby.
> >
> > I've installed the latest Intel Driver. I've set everything on it as per
> > article:
> > http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html
> >
> > I've tried killing irqbalance and setting affinity. No luck.
> > I did however noticed that if i reduce number of threads to 1,
> > everything is working. But when it is more than one, the issue starts.
> >
> > Did anybody else have this issue with Intel cards and PF_RING???
>
> This looks a lot like this issue here:
> https://redmine.openinfosecfoundation.org/issues/1716
>
> The problem could be that some threads never get traffic.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160229/f93eecec/attachment-0002.html>
More information about the Oisf-users
mailing list