[Oisf-users] High ICMP Ping Latency in Workers Runmode

Peter Fyon peter.fyon at gmail.com
Wed Feb 8 04:32:20 UTC 2017

The realtek adapters have worked fine in the past. Cheap, but functional.
I'm not pushing much data through this box (30ish mbit), which hasn't
caused any issues for suricata in the past, even with ~18000 rules.

Upgrading the kernel to 4.4.0 did the trick. The ping times are back down
to normal under workers. Maybe when I upgraded suricata to 3.2, I also
upgraded the kernel to one of the bad versions.

Thanks for the help!


On Tue, Feb 7, 2017 at 4:08 PM, Andreas Herz <andi at geekosphere.org> wrote:

> On 04/02/17 at 18:08, Peter Fyon wrote:
> > Linux suricata 3.16.0-77-generic #99~14.04.1-Ubuntu SMP Tue Jun 28
> 19:17:10
> > UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
> Could you try a more recent kernel? There have been improvements with
> af_packet.
> > Command line:
> > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pid file
> > /var/run/suricata.pid --af-packet -D -vvv
> Could you paste the output from suricata with verbose mode somewhere?
> > Server specs:
> > Intel g3258 cpu (2 cores @ 3.2ghz)
> > 8gb ram
> > Some cheap Realtek gigabit nics for capture, onboard nic for management
> CPU and RAM should be fine for some mbit/s.
> The cheap realtek might be the issue as well. Do you see anything
> relevant in the syslog?
> You said you removed all rules and had the same issue then with zero
> rules loaded. Do you have the ping issue while other traffic is going on
> or can you even reproduce it without any other traffic or with low
> traffic?
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170207/1631e51c/attachment-0002.html>

More information about the Oisf-users mailing list