[Oisf-users] problem with af-packet in 3.1.2

Peter Manev petermanev at gmail.com
Mon Oct 3 08:22:32 UTC 2016 

On Wed, Sep 28, 2016 at 2:26 PM, Michael Stone <mstone at mathom.us> wrote:
> On Wed, Sep 28, 2016 at 08:47:46AM +0200, Peter Manev wrote:
>>
>> On Tue, Sep 27, 2016 at 10:36 PM, Michael Stone <mstone at mathom.us> wrote:
>>>
>>> I generally use af-packet in my suricata deployments, but on some
>>> machines
>>> with i210 interfaces running 3.1.2 that configuration causes suricata to
>>> spin all cpus at 100%, while dropping most of the traffic.  (The stats
>>> file
>>> lists capture.kernel_packets, doesn't list drops, but the shutdown
>>> message
>>> says that almost all the packets were dropped.) If I use the same
>>
>>
>> Do you have any err/warnings in your suricata.log(or at start)?
>
>
> Nothing.
>
>> Can you share the last update entry in stats.log when using afpacket
>> on the problematic machines?
>
>
> Counter                                    | TM Name                   |
> Value
> ------------------------------------------------------------------------------------
> capture.kernel_packets                     | Total                     |
> 664249
> capture.kernel_drops                       | Total                     |
> 428586
> flow.spare                                 | Total                     |
> 10000
> tcp.memuse                                 | Total                     |
> 1572864
> tcp.reassembly_memuse                      | Total                     |
> 12320544
> flow.memuse                                | Total                     |
> 7154304
>
>
>>> configuration but substitute a USB ethernet adapter, everything behaves
>>> as
>>> expected. If I use the i210 interface but switch from af-packet to pcap,
>>> everything behaves as expected. If I downgrade to a 3.0 version of
>>> suricata,
>>> everything works with af-packet. No earlier release of 3.1.x works with
>>> af-packet. I've tried 3.16 and 4.6 kernels with no difference in the
>>
>>
>> Can you get an idea in a bit more detail from perf top?
>
>
>  89.85%  suricata               [.] AFPReadFromRing
> 0.59%  suricata               [.] SigMatchListSMBelongsTo
> 0.48%  [kernel]               [k] clear_page
> 0.32%  suricata               [.] SCACCreateDeltaTable
> 0.28%  suricata               [.] SCACCreateFailureTable
> 0.24%  suricata               [.] SCACPreparePatterns
> 0.18%  suricata               [.] PacketPoolWaitForN
> 0.14%  [kernel]               [k] acpi_idle_do_entry
> 0.13%  suricata               [.] MpmStorePrepareBuffer2
> 0.11%  libpthread-2.19.so     [.] pthread_mutex_trylock
> Mike Stone

Can you share your ethtool stats (ethtool ethX -S ) and your i210
ethtool offloading settings - (ethtool -k ethX)?
Do you run any specific set up scripts(and/or drivers) for i210?

Is there a possibility for you to share your suricata.yaml and
suricata.log (privately if you would like)?- for the troubled run.

Thanks


-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list