[Oisf-users] Are kernel_drops a symptom of dysfunctional afpacket fanout and/or RSS?
Cooper F. Nelson
cnelson at ucsd.edu
Thu Aug 3 00:05:52 UTC 2017
Try running without any rules enabled. If you are still dropping
packets it's probably more a system then suricata issue.
If that fixes the problem, it's a suricata issue. Try running less
rules or adding more cores/threads. It's *possible* you can address
packet drops on an oversubscribed system by increasing the ring-size per
thread or increasing the max-pending packets setting.
In either case, make sure the stream bypass is enabled.
This you are using a recent kernel, also try the new tpacket-v3
AF_PACKET mode.
-Coop
On 8/2/2017 4:50 PM, Marshall, Hunter wrote:
> I just do not know whether kernel_drops are the/a symptom of these 2
> issues. Details below.
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/a9edca6e/attachment-0002.sig>
More information about the Oisf-users
mailing list