[Oisf-users] problem with af-packet in 3.1.2
Michael Stone
mstone at mathom.us
Tue Sep 27 20:36:28 UTC 2016
I generally use af-packet in my suricata deployments, but on some
machines with i210 interfaces running 3.1.2 that configuration causes
suricata to spin all cpus at 100%, while dropping most of the traffic.
(The stats file lists capture.kernel_packets, doesn't list drops, but
the shutdown message says that almost all the packets were dropped.) If
I use the same configuration but substitute a USB ethernet adapter,
everything behaves as expected. If I use the i210 interface but switch
from af-packet to pcap, everything behaves as expected. If I downgrade
to a 3.0 version of suricata, everything works with af-packet. No
earlier release of 3.1.x works with af-packet. I've tried 3.16 and 4.6
kernels with no difference in the results. In practical terms there's no
reason not to run pcap mode in this particular configuration, but it
would be nice to know what af-packet is behaving so badly.
Mike Stone
More information about the Oisf-users
mailing list