[Oisf-users] problem with af-packet in 3.1.2
Peter Manev
petermanev at gmail.com
Wed Sep 28 06:47:46 UTC 2016
On Tue, Sep 27, 2016 at 10:36 PM, Michael Stone <mstone at mathom.us> wrote:
> I generally use af-packet in my suricata deployments, but on some machines
> with i210 interfaces running 3.1.2 that configuration causes suricata to
> spin all cpus at 100%, while dropping most of the traffic. (The stats file
> lists capture.kernel_packets, doesn't list drops, but the shutdown message
> says that almost all the packets were dropped.) If I use the same
Do you have any err/warnings in your suricata.log(or at start)?
Can you share the last update entry in stats.log when using afpacket
on the problematic machines?
> configuration but substitute a USB ethernet adapter, everything behaves as
> expected. If I use the i210 interface but switch from af-packet to pcap,
> everything behaves as expected. If I downgrade to a 3.0 version of suricata,
> everything works with af-packet. No earlier release of 3.1.x works with
> af-packet. I've tried 3.16 and 4.6 kernels with no difference in the
Can you get an idea in a bit more detail from perf top?
> results. In practical terms there's no reason not to run pcap mode in this
> particular configuration, but it would be nice to know what af-packet is
> behaving so badly.
> Mike Stone
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list