[Oisf-users] Massive kernel drops with HTTP traffic

Konstantin Klinger konstantin.klinger at dcso.de
Thu Aug 16 14:00:08 UTC 2018

On 16.08.2018 15:02, Victor Julien wrote:
> On 16-08-18 14:49, Konstantin Klinger wrote:
>> Hello OISF users,
>> we have some issues with massive capture.kernel_drops (~30-50%) on some
>> of our high traffic (>5Gbit/s per interface) 4.1.0dev Suricata instances
>> (af_packet). What we found curious about the issue is that there is no
>> associated heavy CPU load.
>> We were able to determine that the problem is related by large volumes
>> of HTTP traffic on the interface (such as, for example, huge backups,
>> huge file downloads, etc.). Without HTTP traffic (for example after
>> filtering port 80/8080 via bpf before inspection) the packets drops
>> decreased below 5%. This is also the case after deactivating the HTTP
>> parser in the suricata.yaml config.
>> So our question is if anyone has or had the same issue? Any experience
>> to share?
>> We will do further debugging on this issue and we will try to make the
>> problem reproducible by tcpreplaying a captured pcap, but we are not at
>> this point yet.
> Which git rev? I'm just analyzing a recently added perf regression.
> Added in 7e004f52c60c5e4d7cd8f5ed09491291d18f42d2

We have the same problems with 4.0.* stable.


Konstantin Klinger
Security Content Engineer
Threat Detection & Hunting (TDH)

+49 160 95476260
konstantin.klinger at dcso.de


PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
22 • D-10829 Berlin
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,
Amtsgericht Charlottenburg HRB 172382

More information about the Oisf-users mailing list