[Oisf-users] unusual packet loss
Yasha Zislin
coolyasha at hotmail.com
Mon Jan 11 13:46:22 UTC 2016
It's weird but I've reverted back to my regular compilation image and packet loss is completely gone. Hard to say if traffic changed or not, but I dont have this issue anymore.
Thanks for providing CFLAGS link.
> Date: Fri, 8 Jan 2016 12:55:17 +0100
> Subject: Re: [Oisf-users] unusual packet loss
> From: petermanev at gmail.com
> To: coolyasha at hotmail.com
> CC: oisf-users at lists.openinfosecfoundation.org
>
> On Thu, Jan 7, 2016 at 2:10 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> > Peter,
> >
> > So I've found this article:
> > https://home.regit.org/2013/11/using-linux-perf-tools-for-suricata-performance-analysis/
> > Decided to give it a shot to see at which process exactly is the CPU
> > saturation. I've recompiled suricata with that configure flag.
> > After I've started the service on my problematic sensor, packet loss
> > disappeared. Not sure what to think here. It is possible traffic might have
>
> Interesting... can you reproduce that consistently? I mean if you do
> the recompile switch with/without the flag the drops would
> appear/disappear ?
>
> Please have a look here for some CFLAGS explanations -
> https://gcc.gnu.org/onlinedocs/gcc-3.2/gcc/Optimize-Options.html
>
>
> > changed but highly unlikely.
> > BTW, perf top is still not showing suricata methods/functions even with that
> > flag enabled.
> >
> > I dont recall but I think i did try suricata 3.0 with the same result.
> >
> > I will leave this sensor for now since it is working.
> >
> >> Subject: Re: [Oisf-users] unusual packet loss
> >> From: petermanev at gmail.com
> >> To: coolyasha at hotmail.com
> >> CC: oisf-users at lists.openinfosecfoundation.org
> >> Date: Sat, 2 Jan 2016 14:09:07 +0100
> >
> >>
> >> On Thu, 2015-12-24 at 12:09 +0000, Yasha Zislin wrote:
> >> > I have 4 threads running to monitor one interface. One of the threads
> >> > is consuming 100% CPU and starts to have packet loss. Other 3 have
> >> > zero packet loss.
> >>
> >> I was afraid that it is the "management" thread(s) that does this - but
> >> it is not :)
> >>
> >> Which pf_ring version are you employing? (I had a similar case with an
> >> older version - not sure if it is pf_ring though)
> >>
> >> Sometimes UDP load balancing on the NIC helps -
> >> ethtool -N eth1 rx-flow-hash udp4 sdfn
> >> ethtool -N eth1 rx-flow-hash udp6 sdfn
> >>
> >> Very curious if you experience the same issue with 3.0RC3 ?
> >>
> >> Thanks
> >>
> >> >
> >> > > Date: Wed, 23 Dec 2015 22:36:44 +0100
> >> > > Subject: Re: [Oisf-users] unusual packet loss
> >> > > From: petermanev at gmail.com
> >> > > To: coolyasha at hotmail.com
> >> > > CC: oisf-users at lists.openinfosecfoundation.org
> >> > >
> >> > > On Wed, Dec 23, 2015 at 3:36 PM, Yasha Zislin
> >> > <coolyasha at hotmail.com> wrote:
> >> > > > I am running Suricata 2.1beta4 with PF_RING.
> >> > > > I have 4 threads (4 logical CPUs) monitoring one interface. After
> >> > a few
> >> > > > minutes of running, I get 50% packet loss.
> >> > > > I have tweaked all of the stream reassembly buffers to avoid
> >> > packet loss.
> >> > > > Only one of the threads gets kernel packet drops. I've noticed
> >> > that one CPU
> >> > > > is running at 100% and others are almost idle. Looking at
> >> > stats.log, that
> >> > > > one thread for some reason is digesting more packets than others.
> >> > > > Throughput on this sensor is not that big. About 500k packets a
> >> > minute. I
> >> > > > use this image on other sensors without issues.
> >> > > >
> >> > > > Need help to figure out why only one thread is doing MOST of the
> >> > work.
> >> > >
> >> > > Can you share "top -H" screenshot ?
> >> > >
> >> > > >
> >> > > > Thank you.
> >> > > >
> >> > > > _______________________________________________
> >> > > > Suricata IDS Users mailing list:
> >> > oisf-users at openinfosecfoundation.org
> >> > > > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > > > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > > > Suricata User Conference November 4 & 5 in Barcelona:
> >> > http://oisfevents.net
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > Regards,
> >> > > Peter Manev
> >> >
> >>
> >> --
> >> Regards,
> >> Peter Manev
> >>
>
>
>
> --
> Regards,
> Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160111/68ddcde0/attachment-0002.html>
More information about the Oisf-users
mailing list