[Oisf-users] Massive kernel drops with HTTP traffic

Konstantin Klinger konstantin.klinger at dcso.de
Thu Aug 16 12:49:51 UTC 2018

Hello OISF users,

we have some issues with massive capture.kernel_drops (~30-50%) on some
of our high traffic (>5Gbit/s per interface) 4.1.0dev Suricata instances
(af_packet). What we found curious about the issue is that there is no
associated heavy CPU load.

We were able to determine that the problem is related by large volumes
of HTTP traffic on the interface (such as, for example, huge backups,
huge file downloads, etc.). Without HTTP traffic (for example after
filtering port 80/8080 via bpf before inspection) the packets drops
decreased below 5%. This is also the case after deactivating the HTTP
parser in the suricata.yaml config.

So our question is if anyone has or had the same issue? Any experience
to share?

We will do further debugging on this issue and we will try to make the
problem reproducible by tcpreplaying a captured pcap, but we are not at
this point yet.



Konstantin Klinger
Security Content Engineer
Threat Detection & Hunting (TDH)

+49 160 95476260
konstantin.klinger at dcso.de


PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
22 • D-10829 Berlin
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,
Amtsgericht Charlottenburg HRB 172382

More information about the Oisf-users mailing list