[Oisf-users] problem with af-packet in 3.1.2
Michael Stone
mstone at mathom.us
Wed Sep 28 12:26:56 UTC 2016
On Wed, Sep 28, 2016 at 08:47:46AM +0200, Peter Manev wrote:
>On Tue, Sep 27, 2016 at 10:36 PM, Michael Stone <mstone at mathom.us> wrote:
>> I generally use af-packet in my suricata deployments, but on some machines
>> with i210 interfaces running 3.1.2 that configuration causes suricata to
>> spin all cpus at 100%, while dropping most of the traffic. (The stats file
>> lists capture.kernel_packets, doesn't list drops, but the shutdown message
>> says that almost all the packets were dropped.) If I use the same
>
>Do you have any err/warnings in your suricata.log(or at start)?
Nothing.
>Can you share the last update entry in stats.log when using afpacket
>on the problematic machines?
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 664249
capture.kernel_drops | Total | 428586
flow.spare | Total | 10000
tcp.memuse | Total | 1572864
tcp.reassembly_memuse | Total | 12320544
flow.memuse | Total | 7154304
>> configuration but substitute a USB ethernet adapter, everything behaves as
>> expected. If I use the i210 interface but switch from af-packet to pcap,
>> everything behaves as expected. If I downgrade to a 3.0 version of suricata,
>> everything works with af-packet. No earlier release of 3.1.x works with
>> af-packet. I've tried 3.16 and 4.6 kernels with no difference in the
>
>Can you get an idea in a bit more detail from perf top?
89.85% suricata [.] AFPReadFromRing
0.59% suricata [.] SigMatchListSMBelongsTo
0.48% [kernel] [k] clear_page
0.32% suricata [.] SCACCreateDeltaTable
0.28% suricata [.] SCACCreateFailureTable
0.24% suricata [.] SCACPreparePatterns
0.18% suricata [.] PacketPoolWaitForN
0.14% [kernel] [k] acpi_idle_do_entry
0.13% suricata [.] MpmStorePrepareBuffer2
0.11% libpthread-2.19.so [.] pthread_mutex_trylock
Mike Stone
More information about the Oisf-users
mailing list