[Oisf-users] High ICMP Ping Latency in Workers Runmode

Peter Fyon peter.fyon at gmail.com
Sun Feb 5 19:40:18 UTC 2017 

I just tried commented out buffer-size and explicitly set ring-size to
2048, but it didn't affect the ping response times.

On Sun, Feb 5, 2017 at 3:20 AM, Peter Manev <petermanev at gmail.com> wrote:

>
>
> On 5 Feb 2017, at 00:08, Peter Fyon <peter.fyon at gmail.com> wrote:
>
> user at suricata:~$ uname -a
>
> Linux suricata 3.16.0-77-generic #99~14.04.1-Ubuntu SMP Tue Jun 28
> 19:17:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> Command line:
> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pid file
> /var/run/suricata.pid --af-packet -D -vvv
>
> Server specs:
> Intel g3258 cpu (2 cores @ 3.2ghz)
> 8gb ram
> Some cheap Realtek gigabit nics for capture, onboard nic for management
>
> Relevant to capture portions of suricata.yaml:
> af-packet:
>
>   - interface: p5p1
>
>     copy-iface: p6p1
>
>     cluster-id: 98
>
>     threads: auto
>
>     use-mmap: yes
>
>     rollover: yes
>
>     tpacket-v3: yes
>
>     block-size: 32768
>
>     copy-mode: ips
>
>     buffer-size: 64535
>
>     cluster-type: cluster_flow
>
>     defrag: yes
>
>   - interface: p6p1
>
>     copy-iface: p5p1
>
>     cluster-id: 97
>
>     threads: auto
>
>     use-mmap: yes
>
>     rollover: yes
>
>     tpacket-v3: yes
>
>     block-size: 32768
>
>     copy-mode: ips
>
>     buffer-size: 64535
>
>     cluster-type: cluster_flow
>
>     defrag: yes
>
>   - interface: default
>
>     threads: auto
>
>     use-mmap: yes
>
>     rollover: yes
>
>     tpacket-v3: yes
>
>     block-size: 32768
>
>     copy-mode: ips
>
>     buffer-size: 64535
>
>     cluster-type: cluster_flow
>
>     defrag: yes
>
>
> Disable buffer-size(use ringsize instead)and rollover and see if any diff ?
>
>
> App-layer section
>    http:
>
>       enabled: yes
>
>       memcap: 512mb
>
>       libhtp:
>
>          default-config:
>
>            personality: IDS
>
>            request-body-limit: 1gb
>
>            response-body-limit: 1gb
>
>            request-body-minimal-inspect-size: 32kb
>
>            request-body-inspect-window: 4kb
>
>            response-body-minimal-inspect-size: 40kb
>
>            response-body-inspect-window: 16kb
>
>            response-body-decompress-layer-limit: 2
>
>            http-body-inline: auto
>
>            double-decode-path: no
>
>            double-decode-query: no
>
>
> host-mode: auto
>
> max-pending-packets: 2048
>
> runmode: workers
>
> defrag:
>
>   memcap: 128mb
>
>   hash-size: 65536
>
>   trackers: 65535 # number of defragmented flows to follow
>
>   max-frags: 65535 # number of fragments to keep (higher than trackers)
>
>   prealloc: yes
>
>   timeout: 60
>
> flow:
>
>   memcap: 128mb
>
>   hash-size: 65536
>
>   prealloc: 10000
>
>   emergency-recovery: 30
> stream:
>
>   memcap: 128mb
>
>   checksum-validation: yes      # reject wrong csums
>
>   inline: yes                  # auto will use inline mode in IPS mode,
> yes or no set it statically
>   reassembly:
>
>     memcap: 256mb
>
>     depth: 0                  # reassemble 1mb into a stream
>
>     toserver-chunk-size 2560
>     toclient-chunk-size: 2560
>     randomize-chunk-size: yes
>
>
> A lot of those config settings were copied over from my old 3.0 config.
>
> Peter
>
> On Feb 4, 2017 5:10 PM, "Andreas Herz" <andi at geekosphere.org> wrote:
>
> On 04/02/17 at 16:59, Peter Fyon wrote:
> > Yes, IPS mode inline using af-packet, Ubuntu 14.04.
>
> How do you run it exactly? Paste the command line please.
>
> Also add relevant sections you changed/added to the config.
>
> Also the hardware specs and network infos.
>
> What kernel is used?
>
> > Peter
> >
> > On Feb 4, 2017 4:57 PM, "Andreas Herz" <andi at geekosphere.org> wrote:
> >
> > On 04/02/17 at 16:47, Peter Fyon wrote:
> > > When I was running 3.0, I was using workers runmode with few issues. I
> > > upgraded to 3.2 this week and my ping times went from ~ 30ms to
> > ~150-200ms.
> >
> > How do you run suricata and on what system?
> > Since you see latency issues I would guess IPS mode but there are some
> > :)
> >
> > --
> > Andreas Herz
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/suppor
> t/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/ois
> f-users
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170205/f80c53db/attachment-0002.html>

More information about the Oisf-users mailing list