[Oisf-users] suricata 3.2.0 for 10Gb performance

erik clark philosnef at gmail.com
Tue Jan 24 17:08:08 UTC 2017


Ah, I am running 3.1.3, so no disable-offloading statement in my yaml.
Since we are in production with 3.1.3, I am not sure we will move to 3.2
anytime soon, due the the size of our deployment.

This appears to work as advertised on 3.1.3. Thank you for your help!

On Tue, Jan 24, 2017 at 11:45 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Are you seeing this error message in your suricata logs?
>
> > [3047] 14/1/2017 -- 17:52:52 - (util-ioctl.c:397) <Warning>
> (GetIfaceOffloadingLinux) -- [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC
> offloading on eth2: SG: SET,  GRO: SET, LRO: unset, TSO: SET, GSO: SET.
> Run: ethtool -K eth2 sg off gro off lro off tso off gso off
> > [3047] 14/1/2017 -- 17:52:52 - (runmode-af-packet.c:459) <Warning>
> (ParseAFPConfig) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using AF_PACKET
> with offloading activated leads to capture problems
>
> If not, it means suricata is disabling GRO when it starts up.  This is
> the default behavior on 3.2 unless you explicitly "disable the
> disabling" in the yaml file.
>
> -Coop
>
> On 1/24/2017 7:30 AM, erik clark wrote:
> > I am seeing packets truncated at about 1 or 2 with tpacket_v3 running.
> With
> > the default of 1514, I was not seeing packets truncated unless I had bro
> > and suricata running at the same time. Not sure why that might have been.
> > Still waiting on a response from RH, but this appears to work combined
> with
> > the ixgbe patch on RHEL7.
> >
> > On Fri, Jan 20, 2017 at 5:28 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
> >
> >> > Look for log entries with "trunc_pkt" in the stats.log file to see if
> >> > you aren't capturing full packets.
> >> >
> >> > You have to explicitly enable the tpacket-v3 setting in suricata.yaml
> to
> >> > make use of it.
> >> >
> >> > -Coop
> >> >
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170124/5f94a835/attachment-0002.html>


More information about the Oisf-users mailing list