[Oisf-users] Suricata with PF_RING and IXGBE
Yasha Zislin
coolyasha at hotmail.com
Mon Feb 29 17:14:26 UTC 2016
I have monitored the stats for my instance and you are correct, only one thread processing packets. I've checked my other stand by sensor that has a different NIC and it is showing that other threads do process packets.
It seems that the problem is with ixgbe and load balancing doesnt work right.
Does anybody know how to change that?
> To: oisf-users at lists.openinfosecfoundation.org
> From: lists at inliniac.net
> Date: Mon, 29 Feb 2016 17:24:43 +0100
> Subject: Re: [Oisf-users] Suricata with PF_RING and IXGBE
>
> On 29-02-16 15:52, Yasha Zislin wrote:
> > I have a weird problem. I have a bunch of sensors running in CentOS 6
> > with latest pf_ring and Suricata 2.1beta4.
> > Most of the sensors have HP fiber nics (10 gigs) for monitoring
> > interfaces but two of them have Intel 82599 (ixgbe).
> > One of these Intel sensors is active and the other is standby. Standby
> > barely has any traffic on monitored interface (about 400 packets a
> > minute which are all broadcast).
> > When I start suricata service on the standby, it is impossible to reload
> > rules or to stop it. On stop it eventually dies off with this message:
> > <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect
> > thread - "RxPFReth21". Killing engine
> >
> > I've flipped the active and standby to check if the server/hardware is
> > the problem. The issue moved to the other server when it became standby.
> >
> > I've installed the latest Intel Driver. I've set everything on it as per
> > article:
> > http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html
> >
> > I've tried killing irqbalance and setting affinity. No luck.
> > I did however noticed that if i reduce number of threads to 1,
> > everything is working. But when it is more than one, the issue starts.
> >
> > Did anybody else have this issue with Intel cards and PF_RING???
>
> This looks a lot like this issue here:
> https://redmine.openinfosecfoundation.org/issues/1716
>
> The problem could be that some threads never get traffic.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160229/85c1523d/attachment-0002.html>
More information about the Oisf-users
mailing list