[Oisf-users] Suricata at 10G, packet reassembly

[Collyer, Jeffrey W. (jwc3f)]

So I’ve followed the 10G tuning guide, to what looks like great success.  This is on a Intel X520 card with AF_PACKET and 1 RSS queue.   The traffic load fluctuates between 4 and a peak of about 8 Gbps.

capture.kernel_packets                     | Total                     | 22028847471
capture.kernel_drops                        | Total                     | 40166
decoder.pkts                                     | Total                     | 22028920807


In digging around further, netstat -s show about 3% of packet reassemblies failing.  Is this normal?  This is my first foray into 10G capture and I don’t know what is normal at what level of diagnostic yet, and was hoping someone with more experience could tell me if this was a problem or not.

I expanded the ipfrag_high_thresh kernel memory to try to allow more memory for packet reassmembly in case that was a factor.

# expand ip_frag threshod to help packet reassembly
net.ipv4.ipfrag_high_thresh = 8388608

Ip:
    4509211 total packets received
    0 forwarded
    0 incoming packets discarded
    3351761 incoming packets delivered
    2369930 requests sent out
    121777 fragments dropped after timeout
    258550565 reassemblies required
    72996695 packets reassembled ok
    7823209 packet reassembles failed

Thanks for any advice.
Jeff


Jeffrey Collyer
Information Security Engineer
University of Virginia
434-297-6317

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170201/750d11e9/attachment.html>