[Oisf-users] As I enabled the packet profiling, packet drop was generated.

Peter Manev petermanev at gmail.com
Fri Jun 9 07:19:38 UTC 2017 

On Tue, Jun 6, 2017 at 12:23 PM, 이상철 <leesc at ictis.kr> wrote:
> HI!
>
>
>
> As I enabled the packet profiling, packet drop was generated.

Profiling has a performance hit that can explain the drops.
It is not meant for live runs but just for testing/tuning/adjusting.

>
> The packet drop was confirmed by “packet.kernel_drop” in stats.log.
>
> I want to always enable the packet profiling in my product, how can I
> improve?
>
>
>
> I generated 160 Kpps(packet per sec) traffic and lost 30% of the packets.
> The size of each packet size is 64 bytes.
>
> I have analyzed the source code and have found that packet drop will not
> occur if the SCProfilingPrintPacketProfile() function is not executed.
>
> How do I improve this function and are there any other improvement options?
>
>
>
> Below is the hardware specification and suricata configuration information.
>
>
>
> Hardware spec.
>
> CPU : Intel(R) Xeon(R) CPU E5-2660 v3 @ 2.60GHz
>
>       10 cores, 20 threads
>
> Memory : 16G
>
> Ethernet : Intel Corporation 82580 Gigabit ( 1Gbps)
>
>
>
>
>
> Suricata Version : 3.2.1
>
> OS – linux debian 8
>
> excute command :  "suricata -c /etc/suricata/suricata.yaml --af-packet"
>
> number of rules : 9000
>
> suricata.yaml
>
> af-packet:
>
>   - interface: eth0
>
>     threads: auto
>
>     cluster-id: 99
>
>     cluster-type: cluster_flow
>
>     defrag: yes
>
>     use-mmap: yes
>
>     buffer-size: 64535
>
>     copy-mode: ips
>
>     copy-iface: eth1
>
>
>
>   - interface: eth1
>
>     threads: auto
>
>     cluster-id: 98
>
>     cluster-type: cluster_flow
>
>     defrag: yes
>
>     use-mmap: yes
>
>     buffer-size: 64535
>
>     copy-mode: ips
>
>     copy-iface: eth0
>
>
>
> packets:
>
>     # Profiling can be disabled here, but it will still have a
>
>     # performance impact if compiled in.
>
>     enabled: yes
>
>     filename: packet_stats.log
>
>     append: yes
>
>
>
>     # per packet csv output
>
>     csv:
>
>
>
>       # Output can be disabled here, but it will still have a
>
>       # performance impact if compiled in.
>
>       enabled: yes
>
>       filename: packet_stats.csv
>
>
>
>
>
> Sincerely
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list