[Oisf-users] Massive kernel drops with HTTP traffic

Cooper F. Nelson cnelson at ucsd.edu
Thu Aug 30 17:11:18 UTC 2018

This looks like you are using RSS with asymmetric hashing (client/server
flows on different cores).

The fix is going to be dependent on what card/driver you are using, if
its an Intel/ixgbe deployment you can force symmetric hashing on the
current Linux kernel using this command (take care to use the correct NIC):

> ethtool -X  eth3 hkey
> 6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a

Also make sure all offloading is disabled:

> for i in rx tx tso gso gro lro tx sg txvlan rxvlan; do
>   /usr/sbin/ethtool -K eth3 $i off 2>&1 > /dev/null;
> done


On 8/17/2018 6:22 AM, Konstantin Klinger wrote:
> Thank you for your answer. I made a ~5min run with http-events and
> stream-events ruleset active and here is the outcome:
>  982397 "SURICATA STREAM Packet with invalid ack"
>  966940 "SURICATA STREAM ESTABLISHED invalid ack"
>  965091 "SURICATA STREAM 3way handshake wrong seq wrong ack"
>  887444 "SURICATA STREAM ESTABLISHED packet out of window"

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180830/c918f204/attachment.sig>

More information about the Oisf-users mailing list