[Oisf-users] Massive kernel drops with HTTP traffic
Cooper F. Nelson
cnelson at ucsd.edu
Thu Aug 30 17:11:18 UTC 2018
This looks like you are using RSS with asymmetric hashing (client/server
flows on different cores).
The fix is going to be dependent on what card/driver you are using, if
its an Intel/ixgbe deployment you can force symmetric hashing on the
current Linux kernel using this command (take care to use the correct NIC):
> ethtool -X eth3 hkey
> 6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a
Also make sure all offloading is disabled:
> for i in rx tx tso gso gro lro tx sg txvlan rxvlan; do
> /usr/sbin/ethtool -K eth3 $i off 2>&1 > /dev/null;
> done
-Coop
On 8/17/2018 6:22 AM, Konstantin Klinger wrote:
> Thank you for your answer. I made a ~5min run with http-events and
> stream-events ruleset active and here is the outcome:
>
> 982397 "SURICATA STREAM Packet with invalid ack"
> 966940 "SURICATA STREAM ESTABLISHED invalid ack"
> 965091 "SURICATA STREAM 3way handshake wrong seq wrong ack"
> 887444 "SURICATA STREAM ESTABLISHED packet out of window"
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180830/c918f204/attachment.sig>
More information about the Oisf-users
mailing list