[Oisf-users] Suricata 4.0.3 with Napatech problems

[Peter Manev]

On Wed, Jan 10, 2018 at 11:08 AM, Steve Castellarin
<steve.castellarin at gmail.com> wrote:
> All,
>
> I've been running Suricata 3.1.1 (with Hyperscan) on an Ubuntu 14.04.5 64bit
> system with an older Napatech driver set for quite a while with no issues.
> The system is running dual E5-2660 v3 @2.60Ghz processors with 128Gb of
> memory.  I've gone ahead and upgraded the Napatech drivers to 10.0.4 and
> downloaded/compiled Suricata 4.0.3.  I've done the best I can to copy
> configuration settings from the 3.1.1 suricata.yaml to the 4.0.3
> suricata.yaml.  I run Suricata by issuing:
>   /usr/bin/suricata -c /etc/suricata/suricata.yaml --napatech --runmode
> workers -D
>
> I continue to see issues where Suricata will run for a time when I notice
> one of the CPUs hitting 100%, and stay there.  Then when running Napatech's
> "profiling" command I'll see one of the host buffers dropping 100% of the
> packets.  As time goes along another CPU/host buffer will have the same
> issue, etc, etc.
>
> I've been banging my head over this for a couple weeks with no success,
> other than killing the Suricata process then restarting - to only have this
> issue crop up again.
>
> One thing I notice, when I issue the "kill `pidof suricata`" Suricata will
> take a while to end gracefully.  But, it leaves the PID file behind in
> /var/run.
>
> Any ideas on how to attack this, before I have to roll back my upgrade?
>

Can you share some more info on your suricata config and any info in
suricata.log/stats.log?

> Thanks!!
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev