[Oisf-users] Suricata at 10G, packet reassembly
Peter Manev
petermanev at gmail.com
Wed Feb 1 13:49:23 UTC 2017
On Wed, Feb 1, 2017 at 2:31 PM, Collyer, Jeffrey W. (jwc3f)
<jwc3f at virginia.edu> wrote:
> So I’ve followed the 10G tuning guide, to what looks like great success.
> This is on a Intel X520 card with AF_PACKET and 1 RSS queue. The traffic
> load fluctuates between 4 and a peak of about 8 Gbps.
Out of curiosity what specs do you have - for CPU/RAM/OS/kernel?
>
> capture.kernel_packets | Total |
> 22028847471
> capture.kernel_drops | Total |
> 40166
> decoder.pkts | Total
> | 22028920807
>
Can you please paste the last (full section ) log update?
>
> In digging around further, netstat -s show about 3% of packet reassemblies
> failing. Is this normal? This is my first foray into 10G capture and I
> don’t know what is normal at what level of diagnostic yet, and was hoping
> someone with more experience could tell me if this was a problem or not.
>
> I expanded the ipfrag_high_thresh kernel memory to try to allow more memory
> for packet reassmembly in case that was a factor.
>
> # expand ip_frag threshod to help packet reassembly
> net.ipv4.ipfrag_high_thresh = 8388608
>
> Ip:
> 4509211 total packets received
> 0 forwarded
> 0 incoming packets discarded
> 3351761 incoming packets delivered
> 2369930 requests sent out
> 121777 fragments dropped after timeout
> 258550565 reassemblies required
> 72996695 packets reassembled ok
> 7823209 packet reassembles failed
>
> Thanks for any advice.
> Jeff
>
>
> Jeffrey Collyer
> Information Security Engineer
> University of Virginia
> 434-297-6317
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list