[Oisf-users] suricata 3.2.0 for 10Gb performance

Cooper F. Nelson cnelson at ucsd.edu
Tue Jan 24 16:45:49 UTC 2017

Are you seeing this error message in your suricata logs?

> [3047] 14/1/2017 -- 17:52:52 - (util-ioctl.c:397) <Warning> (GetIfaceOffloadingLinux) -- [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on eth2: SG: SET,  GRO: SET, LRO: unset, TSO: SET, GSO: SET. Run: ethtool -K eth2 sg off gro off lro off tso off gso off
> [3047] 14/1/2017 -- 17:52:52 - (runmode-af-packet.c:459) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using AF_PACKET with offloading activated leads to capture problems

If not, it means suricata is disabling GRO when it starts up.  This is
the default behavior on 3.2 unless you explicitly "disable the
disabling" in the yaml file.


On 1/24/2017 7:30 AM, erik clark wrote:
> I am seeing packets truncated at about 1 or 2 with tpacket_v3 running. With
> the default of 1514, I was not seeing packets truncated unless I had bro
> and suricata running at the same time. Not sure why that might have been.
> Still waiting on a response from RH, but this appears to work combined with
> the ixgbe patch on RHEL7.
> On Fri, Jan 20, 2017 at 5:28 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>> > Look for log entries with "trunc_pkt" in the stats.log file to see if
>> > you aren't capturing full packets.
>> >
>> > You have to explicitly enable the tpacket-v3 setting in suricata.yaml to
>> > make use of it.
>> >
>> > -Coop
>> >

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170124/11883647/attachment-0002.sig>

More information about the Oisf-users mailing list