[Oisf-users] Suricata 4.0.3 with Napatech problems

Steve Castellarin steve.castellarin at gmail.com
Wed Jan 24 17:27:12 UTC 2018 

If a bug/feature report is needed - would that fall into Bug #2423 that I
opened on Redmine last week?

As for splitting the rules, I'll test that out and let you know what
happens.

On Wed, Jan 24, 2018 at 11:46 AM, Peter Manev <petermanev at gmail.com> wrote:

> On Wed, Jan 24, 2018 at 5:38 PM, Steve Castellarin
> <steve.castellarin at gmail.com> wrote:
> > One thing I notice is that whenever 4.0.3 has this issue and I issue a
> "kill
> > `pidof suricata`" Suricata always logs two errors at the end of the
> > suricata.log file:
> >
> > <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect
> > thread - "W#[THREAD]-[HB#]".  Killing engine
> > <Error> - [ERRCODE: SC_ERR_NAPATECH_INIT_FAILED(219)] - NT_InfoRead()
> > failed: NTAPI is terminating
> >
>
> This needs maybe a bug/feature report - i havn't experienced it with
> af-packet/pcap/pf-ring
>
> > The "HB#" from the first error line matches the host buffer seeing the
> > spiraling packet drops.  This offending host buffer is always noted in
> the
> > "suricata.log" file with messages like:
> >
> > <Info> - HB# - Increasing Host Buffer Fill Level :   25%
> > <Info> - HB# - Increasing Host Buffer Fill Level :   51%
> > <Info> - HB# - Increasing Host Buffer Fill Level :   75%
> > <Info> - HB# - Increasing Host Buffer Fill Level :  100%
> > <Info> - HB# - Increasing Adapter SDRAM Fill Level:   26%
> > <Info> - HB# - Increasing Adapter SDRAM Fill Level:   53%
> > <Info> - HB# - Increasing Adapter SDRAM Fill Level:   80%
> > <Info> - HB# - Increasing Adapter SDRAM Fill Level:  100%
> >
> >
> > Could this point to an issue with the Napatech code in Suricata - and
> how it
> > pulls/polls/etc data from the Napatech?
> >
> >
>
> Might be.
> Can you try to split the rules you are loading and just load 1/2 of
> the rules for example - see if that is going to have any effect
> (switch each 1/2 too to take turn to run)?
>
> >
> > On Wed, Jan 24, 2018 at 11:08 AM, Steve Castellarin
> > <steve.castellarin at gmail.com> wrote:
> >>
> >> I made the change to mpm-algo and spm-algo as you asked.  Suricata 4.0.3
> >> ran for just over 2 hours then exhibited the same 100% buffer/packets
> >> dropping with one CPU pegged at 100%.  I'm attaching a .zip with the
> stats &
> >> suricata.log files.  At the time of the hangup I noticed that our
> bandwidth
> >> utilization was under 800Mbps.
> >>
> >> On Wed, Jan 24, 2018 at 9:12 AM, Peter Manev <petermanev at gmail.com>
> wrote:
> >>>
> >>> On Wed, Jan 24, 2018 at 2:44 PM, Steve Castellarin
> >>> <steve.castellarin at gmail.com> wrote:
> >>> > I'll give those a try now and let you know what happens.  In an
> earlier
> >>> > email I noted something and wanted to get your take on it...
> >>> >
> >>> > "I've noticed one thing that's strange.  In my YAML file I have the
> >>> > "autofp-scheduler" set to "active-packets".  Yet everytime I run
> >>> > Suricata I
> >>> > see this noted in suricata.log "using flow hash instead of active
> >>> > packets".
> >>> > When I comment out the "autofp-scheduler" setting in the YAML file
> then
> >>> > that
> >>> > message disappears.  Any idea on what that is all about?"
> >>> >
> >>>
> >>> This is the default setting -
> >>>
> >>> https://redmine.openinfosecfoundation.org/
> projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L1024
> >>> with regards to autofp - but in your case you are using "--napatech
> >>> --runmode workers" so it should be unrelated.
> >>>
> >>>
> >>> > On Tue, Jan 23, 2018 at 6:00 PM, Peter Manev <petermanev at gmail.com>
> >>> > wrote:
> >>> >>
> >>> >> On Tue, Jan 23, 2018 at 9:51 PM, Steve Castellarin
> >>> >> <steve.castellarin at gmail.com> wrote:
> >>> >> > Peter,
> >>> >> >
> >>> >> > I reviewed my compile of Suricata 4.0.3 I noticed that I was using
> >>> >> > Hyperscan
> >>> >> > version 4.7, as opposed to version 4.2 noted in the Suricata
> >>> >> > documentation
> >>> >> >
> >>> >> > (http://suricata.readthedocs.io/en/latest/performance/
> hyperscan.html).
> >>> >> > After recompiling with 4.2 I was able to get Suricata 4.0.3 to run
> >>> >> > for
> >>> >> > 42
> >>> >> > minutes before it started dropping packets uncontrollably.
> >>> >> >
> >>> >>
> >>> >> If that made a change in behavior - can you try mpm-algo; ac-ks and
> >>> >> spm-algo: bm in the suricata.yaml?
> >>> >>
> >>> >> > I then made a change to /proc/sys/vm/max_map_count based on a note
> >>> >> > in
> >>> >> > Napatech's documentation: "Especially for large host buffer
> >>> >> > configurations
> >>> >> > it is necessary to adjust the kernel sysctl "vm.max_map_count"
> >>> >> > (/proc/sys/vm/max_map_count).  The kernel sysctl
> "vm.max_map_count"
> >>> >> > (/proc/sys/vm/max_map_count) should be adjusted to (at least) the
> >>> >> > total
> >>> >> > configured host buffer memory in MB multiplied by four.
> >>> >> > Example for total host buffer size 128GB (131072MB): 131072*4 =
> >>> >> > 524288.
> >>> >> > Hence the minimum value for "vm.max_map_count" is 524288."
> >>> >> >
> >>> >> > In my case I'm using 17 host buffers at 2048MB per ((17 * 2048) *
> >>> >> > 4),
> >>> >> > which
> >>> >> > would be 139264.  My vm.max_map_count previously was 65530 (I
> guess
> >>> >> > default
> >>> >> > for Ubuntu 14.04).  After changing that and re-running Suricata
> >>> >> > 4.0.3 it
> >>> >> > ran
> >>> >> > for 45 minutes before the buffer/CPU issue came back.
> >>> >> >
> >>> >> > On Tue, Jan 23, 2018 at 9:49 AM, Steve Castellarin
> >>> >> > <steve.castellarin at gmail.com> wrote:
> >>> >> >>
> >>> >> >> Hi Peter,
> >>> >> >>
> >>> >> >> I just realized I responded directly to you instead of the
> mailing
> >>> >> >> list
> >>> >> >> -
> >>> >> >> so here's my response, updated.
> >>> >> >>
> >>> >> >> I made a change to my YAML file for 4.0.3, dropping the
> >>> >> >> detect-thread-ratio from 1.5 to 1 and on Friday was able to run
> >>> >> >> Suricata
> >>> >> >> 4.0.3 for five hours before the issue occurred.  This run did
> >>> >> >> handle
> >>> >> >> sustained network traffic of 1.2 through 1.7gbps.  So that is a
> >>> >> >> step in
> >>> >> >> the
> >>> >> >> positive direction.  I'm going to have a hard time running 4.0.3
> >>> >> >> without
> >>> >> >> rules, as this unfortunately is our only Suricata instance
> running
> >>> >> >> our
> >>> >> >> rule
> >>> >> >> set.
> >>> >> >>
> >>> >> >> I've noticed one thing that's strange.  In my YAML file I have
> the
> >>> >> >> "autofp-scheduler" set to "active-packets".  Yet everytime I run
> >>> >> >> Suricata I
> >>> >> >> see this noted in suricata.log "using flow hash instead of active
> >>> >> >> packets".
> >>> >> >> When I comment out the "autofp-scheduler" setting in the YAML
> file
> >>> >> >> then
> >>> >> >> that
> >>> >> >> message disappears.  Any idea on what that is all about?
> >>> >> >>
> >>> >> >> On Sun, Jan 21, 2018 at 3:49 PM, Peter Manev <
> petermanev at gmail.com>
> >>> >> >> wrote:
> >>> >> >>>
> >>> >> >>>
> >>> >> >>>
> >>> >> >>> On 18 Jan 2018, at 19:21, Steve Castellarin
> >>> >> >>> <steve.castellarin at gmail.com>
> >>> >> >>> wrote:
> >>> >> >>>
> >>> >> >>> And also, the bandwidth utilization was just over 800Mbps.
> >>> >> >>>
> >>> >> >>>
> >>> >> >>> Can you try the same run but this time - load no rules. I would
> >>> >> >>> like
> >>> >> >>> to
> >>> >> >>> see if it would make difference or not in the same amount of
> time.
> >>> >> >>>
> >>> >> >>>
> >>> >> >>> On Thu, Jan 18, 2018 at 1:16 PM, Steve Castellarin
> >>> >> >>> <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>
> >>> >> >>>> Hey Peter,
> >>> >> >>>>
> >>> >> >>>> Those changes didn't help.  Around 23+ minutes into the run one
> >>> >> >>>> worker
> >>> >> >>>> CPU (#30) stayed at 100% while buffer NT11 dropped packets and
> >>> >> >>>> would
> >>> >> >>>> not
> >>> >> >>>> recover.  I'm attaching a zip file that has the stats.log for
> >>> >> >>>> that
> >>> >> >>>> run, the
> >>> >> >>>> suricata.log file as well as the information seen at the
> command
> >>> >> >>>> line
> >>> >> >>>> after
> >>> >> >>>> issuing "/usr/bin/suricata -vvv -c /etc/suricata/suricata.yaml
> >>> >> >>>> --napatech
> >>> >> >>>> --runmode workers -D".
> >>> >> >>>>
> >>> >> >>>> Steve
> >>> >> >>>>
> >>> >> >>>>
> >>> >> >>>> On Thu, Jan 18, 2018 at 11:30 AM, Steve Castellarin
> >>> >> >>>> <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>>
> >>> >> >>>>> We never see above 2Gbps.  When the issue occurred a little
> bit
> >>> >> >>>>> ago
> >>> >> >>>>> I
> >>> >> >>>>> was running the Napatech "monitoring" tool and it was saying
> we
> >>> >> >>>>> were
> >>> >> >>>>> between
> >>> >> >>>>> 650-900Mbps.  I'll note the bandwidth utilization when the
> next
> >>> >> >>>>> issue
> >>> >> >>>>> occurs.
> >>> >> >>>>>
> >>> >> >>>>> On Thu, Jan 18, 2018 at 11:28 AM, Peter Manev
> >>> >> >>>>> <petermanev at gmail.com>
> >>> >> >>>>> wrote:
> >>> >> >>>>>>
> >>> >> >>>>>> On Thu, Jan 18, 2018 at 5:27 PM, Steve Castellarin
> >>> >> >>>>>> <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>>> > When you mean the "size of the traffic", are you asking
> what
> >>> >> >>>>>> > the
> >>> >> >>>>>> > bandwidth
> >>> >> >>>>>> > utilization is at the time the issue begins?
> >>> >> >>>>>>
> >>> >> >>>>>> Sorry - i mean the traffic you sniff - 1/5/10...Gbps ?
> >>> >> >>>>>>
> >>> >> >>>>>> >
> >>> >> >>>>>> > I will set things up and send you any/all output after the
> >>> >> >>>>>> > issue
> >>> >> >>>>>> > starts.
> >>> >> >>>>>> >
> >>> >> >>>>>> > On Thu, Jan 18, 2018 at 11:17 AM, Peter Manev
> >>> >> >>>>>> > <petermanev at gmail.com>
> >>> >> >>>>>> > wrote:
> >>> >> >>>>>> >>
> >>> >> >>>>>> >> On Thu, Jan 18, 2018 at 4:43 PM, Steve Castellarin
> >>> >> >>>>>> >> <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>>> >> > Hey Peter,
> >>> >> >>>>>> >> >
> >>> >> >>>>>> >> > I tried as you asked.  Less than 15 minutes after I
> >>> >> >>>>>> >> > restarted
> >>> >> >>>>>> >> > Suricata I
> >>> >> >>>>>> >> > saw
> >>> >> >>>>>> >> > my first CPU hitting 100% and one host buffer dropping
> all
> >>> >> >>>>>> >> > packets.
> >>> >> >>>>>> >> > Shortly
> >>> >> >>>>>> >> > after that the second CPU hit 100% and a second host
> >>> >> >>>>>> >> > buffer
> >>> >> >>>>>> >> > began
> >>> >> >>>>>> >> > dropping
> >>> >> >>>>>> >> > all packets.  I'm attaching the stats.log where you'll
> see
> >>> >> >>>>>> >> > at
> >>> >> >>>>>> >> > 10:31:11
> >>> >> >>>>>> >> > the
> >>> >> >>>>>> >> > first host buffer (nt1.drop) starts to register dropped
> >>> >> >>>>>> >> > packets,
> >>> >> >>>>>> >> > then at
> >>> >> >>>>>> >> > 10:31:51 you'll see host buffer nt6.drop begin to
> register
> >>> >> >>>>>> >> > dropped
> >>> >> >>>>>> >> > packets.
> >>> >> >>>>>> >> > At that point I issued the kill.
> >>> >> >>>>>> >> >
> >>> >> >>>>>> >>
> >>> >> >>>>>> >> What is the size of the traffic?
> >>> >> >>>>>> >> Can you also try
> >>> >> >>>>>> >> detect:
> >>> >> >>>>>> >>   - profile: high
> >>> >> >>>>>> >>
> >>> >> >>>>>> >> (as opposed to "custom")
> >>> >> >>>>>> >>
> >>> >> >>>>>> >> Also if can run it in verbose mode (-vvv)   and send me
> that
> >>> >> >>>>>> >> compete
> >>> >> >>>>>> >> output after you start having the issues.
> >>> >> >>>>>> >>
> >>> >> >>>>>> >> Thanks
> >>> >> >>>>>> >>
> >>> >> >>>>>> >>
> >>> >> >>>>>> >>
> >>> >> >>>>>> >> > Steve
> >>> >> >>>>>> >> >
> >>> >> >>>>>> >> > On Thu, Jan 18, 2018 at 10:05 AM, Peter Manev
> >>> >> >>>>>> >> > <petermanev at gmail.com>
> >>> >> >>>>>> >> > wrote:
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >> On Wed, Jan 17, 2018 at 1:29 PM, Steve Castellarin
> >>> >> >>>>>> >> >> <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>>> >> >> > Hey Pete,
> >>> >> >>>>>> >> >> >
> >>> >> >>>>>> >> >> > Here's the YAML file from the last time I attempted
> to
> >>> >> >>>>>> >> >> > run
> >>> >> >>>>>> >> >> > 4.0.3 -
> >>> >> >>>>>> >> >> > with
> >>> >> >>>>>> >> >> > the
> >>> >> >>>>>> >> >> > network information removed.  Let me know if you need
> >>> >> >>>>>> >> >> > anything
> >>> >> >>>>>> >> >> > else
> >>> >> >>>>>> >> >> > from
> >>> >> >>>>>> >> >> > our
> >>> >> >>>>>> >> >> > configuration.  I'll also go to the redmine site to
> >>> >> >>>>>> >> >> > open a
> >>> >> >>>>>> >> >> > bug
> >>> >> >>>>>> >> >> > report.
> >>> >> >>>>>> >> >> >
> >>> >> >>>>>> >> >> > Steve
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >> Hi Steve,
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >> Can you try without -
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >>   midstream: true
> >>> >> >>>>>> >> >>   asyn-oneside:true
> >>> >> >>>>>> >> >> so
> >>> >> >>>>>> >> >>   #midstream: true
> >>> >> >>>>>> >> >>   #asyn-oneside:true
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >> and lower the "prealloc-session: 1000000" to 100 000
> for
> >>> >> >>>>>> >> >> example
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >> Thank you.
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >> >
> >>> >> >>>>>> >> >> > On Wed, Jan 17, 2018 at 6:36 AM, Peter Manev
> >>> >> >>>>>> >> >> > <petermanev at gmail.com>
> >>> >> >>>>>> >> >> > wrote:
> >>> >> >>>>>> >> >> >>
> >>> >> >>>>>> >> >> >> On Tue, Jan 16, 2018 at 4:12 PM, Steve Castellarin
> >>> >> >>>>>> >> >> >> <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>>> >> >> >> > Hey Peter, I didn't know if you had a chance to
> look
> >>> >> >>>>>> >> >> >> > at
> >>> >> >>>>>> >> >> >> > the
> >>> >> >>>>>> >> >> >> > stats
> >>> >> >>>>>> >> >> >> > log
> >>> >> >>>>>> >> >> >> > and
> >>> >> >>>>>> >> >> >> > configuration file I sent.  So far, running 3.1.1
> >>> >> >>>>>> >> >> >> > with
> >>> >> >>>>>> >> >> >> > the
> >>> >> >>>>>> >> >> >> > updated
> >>> >> >>>>>> >> >> >> > Napatech
> >>> >> >>>>>> >> >> >> > drivers my system is running without any issues.
> >>> >> >>>>>> >> >> >> >
> >>> >> >>>>>> >> >> >>
> >>> >> >>>>>> >> >> >> The toughest part of the troubleshooting is that i
> >>> >> >>>>>> >> >> >> dont
> >>> >> >>>>>> >> >> >> have
> >>> >> >>>>>> >> >> >> the set
> >>> >> >>>>>> >> >> >> up to reproduce this.
> >>> >> >>>>>> >> >> >> I didn't see anything that could lead me to
> definitive
> >>> >> >>>>>> >> >> >> conclusion
> >>> >> >>>>>> >> >> >> from
> >>> >> >>>>>> >> >> >> the stats log.
> >>> >> >>>>>> >> >> >> Can you please open a bug report on our redmine with
> >>> >> >>>>>> >> >> >> the
> >>> >> >>>>>> >> >> >> details
> >>> >> >>>>>> >> >> >> form
> >>> >> >>>>>> >> >> >> this mialthread?
> >>> >> >>>>>> >> >> >>
> >>> >> >>>>>> >> >> >> Would it be possible to share the suricata.yaml
> >>> >> >>>>>> >> >> >> (privately
> >>> >> >>>>>> >> >> >> if
> >>> >> >>>>>> >> >> >> you
> >>> >> >>>>>> >> >> >> would like works too; remove all networks)?
> >>> >> >>>>>> >> >> >>
> >>> >> >>>>>> >> >> >> Thank you
> >>> >> >>>>>> >> >> >>
> >>> >> >>>>>> >> >> >> > On Thu, Jan 11, 2018 at 12:54 PM, Steve
> Castellarin
> >>> >> >>>>>> >> >> >> > <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>>> >> >> >> >>
> >>> >> >>>>>> >> >> >> >> Here is the zipped stats.log.  I restarted the
> >>> >> >>>>>> >> >> >> >> Napatech
> >>> >> >>>>>> >> >> >> >> drivers
> >>> >> >>>>>> >> >> >> >> before
> >>> >> >>>>>> >> >> >> >> running Suricata 4.0.3 to clear out any previous
> >>> >> >>>>>> >> >> >> >> drop
> >>> >> >>>>>> >> >> >> >> counters,
> >>> >> >>>>>> >> >> >> >> etc.
> >>> >> >>>>>> >> >> >> >>
> >>> >> >>>>>> >> >> >> >> The first time I saw a packet drop was at the
> >>> >> >>>>>> >> >> >> >> 12:20:51
> >>> >> >>>>>> >> >> >> >> mark, and
> >>> >> >>>>>> >> >> >> >> you'll
> >>> >> >>>>>> >> >> >> >> see "nt12.drop" increment.  During this time one
> of
> >>> >> >>>>>> >> >> >> >> the
> >>> >> >>>>>> >> >> >> >> CPUs
> >>> >> >>>>>> >> >> >> >> acting
> >>> >> >>>>>> >> >> >> >> as
> >>> >> >>>>>> >> >> >> >> a
> >>> >> >>>>>> >> >> >> >> "worker" was at 100%.  But these drops recovered
> at
> >>> >> >>>>>> >> >> >> >> the
> >>> >> >>>>>> >> >> >> >> 12:20:58
> >>> >> >>>>>> >> >> >> >> mark,
> >>> >> >>>>>> >> >> >> >> where
> >>> >> >>>>>> >> >> >> >> "nt12.drop" stays constant at 13803.  The big
> issue
> >>> >> >>>>>> >> >> >> >> triggered at
> >>> >> >>>>>> >> >> >> >> the
> >>> >> >>>>>> >> >> >> >> 12:27:05 mark in the file - where one worker CPU
> >>> >> >>>>>> >> >> >> >> was
> >>> >> >>>>>> >> >> >> >> stuck
> >>> >> >>>>>> >> >> >> >> at
> >>> >> >>>>>> >> >> >> >> 100%
> >>> >> >>>>>> >> >> >> >> followed
> >>> >> >>>>>> >> >> >> >> by packet drops in host buffer "nt3.drop".  Then
> >>> >> >>>>>> >> >> >> >> came a
> >>> >> >>>>>> >> >> >> >> second
> >>> >> >>>>>> >> >> >> >> CPU
> >>> >> >>>>>> >> >> >> >> at
> >>> >> >>>>>> >> >> >> >> 100%
> >>> >> >>>>>> >> >> >> >> (another "worker" CPU) and packet drops in buffer
> >>> >> >>>>>> >> >> >> >> "nt2.drop" at
> >>> >> >>>>>> >> >> >> >> 12:27:33.  I
> >>> >> >>>>>> >> >> >> >> finally killed Suricata just before 12:27:54,
> where
> >>> >> >>>>>> >> >> >> >> you
> >>> >> >>>>>> >> >> >> >> see all
> >>> >> >>>>>> >> >> >> >> host
> >>> >> >>>>>> >> >> >> >> buffers
> >>> >> >>>>>> >> >> >> >> beginning to drop packets.
> >>> >> >>>>>> >> >> >> >>
> >>> >> >>>>>> >> >> >> >> I'm also including the output from the "suricata
> >>> >> >>>>>> >> >> >> >> --dump-config"
> >>> >> >>>>>> >> >> >> >> command.
> >>> >> >>>>>> >> >> >> >>
> >>> >> >>>>>> >> >> >> >> On Thu, Jan 11, 2018 at 11:40 AM, Peter Manev
> >>> >> >>>>>> >> >> >> >> <petermanev at gmail.com>
> >>> >> >>>>>> >> >> >> >> wrote:
> >>> >> >>>>>> >> >> >> >>>
> >>> >> >>>>>> >> >> >> >>> On Thu, Jan 11, 2018 at 8:02 AM, Steve
> Castellarin
> >>> >> >>>>>> >> >> >> >>> <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>>> >> >> >> >>> > Peter, yes that is correct.  I worked for
> almost
> >>> >> >>>>>> >> >> >> >>> > a
> >>> >> >>>>>> >> >> >> >>> > couple
> >>> >> >>>>>> >> >> >> >>> > weeks
> >>> >> >>>>>> >> >> >> >>> > with
> >>> >> >>>>>> >> >> >> >>> > Napatech support and they believed the
> Napatech
> >>> >> >>>>>> >> >> >> >>> > setup
> >>> >> >>>>>> >> >> >> >>> > (ntservice.ini
> >>> >> >>>>>> >> >> >> >>> > and
> >>> >> >>>>>> >> >> >> >>> > custom NTPL script) are working as they
> should.
> >>> >> >>>>>> >> >> >> >>> >
> >>> >> >>>>>> >> >> >> >>>
> >>> >> >>>>>> >> >> >> >>> Ok.
> >>> >> >>>>>> >> >> >> >>>
> >>> >> >>>>>> >> >> >> >>> One major difference between Suricata 3.x and
> >>> >> >>>>>> >> >> >> >>> 4.0.x in
> >>> >> >>>>>> >> >> >> >>> terms of
> >>> >> >>>>>> >> >> >> >>> Napatech is that they did update the code, some
> >>> >> >>>>>> >> >> >> >>> fixes
> >>> >> >>>>>> >> >> >> >>> and
> >>> >> >>>>>> >> >> >> >>> updated
> >>> >> >>>>>> >> >> >> >>> the
> >>> >> >>>>>> >> >> >> >>> counters.
> >>> >> >>>>>> >> >> >> >>> There were a bunch of upgrades in Suricata too.
> >>> >> >>>>>> >> >> >> >>> Is it possible to send over a stats.log - when
> the
> >>> >> >>>>>> >> >> >> >>> issue
> >>> >> >>>>>> >> >> >> >>> starts
> >>> >> >>>>>> >> >> >> >>> occuring?
> >>> >> >>>>>> >> >> >> >>>
> >>> >> >>>>>> >> >> >> >>>
> >>> >> >>>>>> >> >> >> >>> > On Thu, Jan 11, 2018 at 9:52 AM, Peter Manev
> >>> >> >>>>>> >> >> >> >>> > <petermanev at gmail.com>
> >>> >> >>>>>> >> >> >> >>> > wrote:
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >> I
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >> On 11 Jan 2018, at 07:19, Steve Castellarin
> >>> >> >>>>>> >> >> >> >>> >> <steve.castellarin at gmail.com>
> >>> >> >>>>>> >> >> >> >>> >> wrote:
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >> After my last email yesterday I decided to go
> >>> >> >>>>>> >> >> >> >>> >> back
> >>> >> >>>>>> >> >> >> >>> >> to
> >>> >> >>>>>> >> >> >> >>> >> our
> >>> >> >>>>>> >> >> >> >>> >> 3.1.1
> >>> >> >>>>>> >> >> >> >>> >> install of
> >>> >> >>>>>> >> >> >> >>> >> Suricata, with
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >> the upgraded Napatech version.  Since then
> I've
> >>> >> >>>>>> >> >> >> >>> >> seen
> >>> >> >>>>>> >> >> >> >>> >> no
> >>> >> >>>>>> >> >> >> >>> >> packets
> >>> >> >>>>>> >> >> >> >>> >> dropped
> >>> >> >>>>>> >> >> >> >>> >> with sustained bandwidth of between 1 and
> >>> >> >>>>>> >> >> >> >>> >> 1.7Gbps.
> >>> >> >>>>>> >> >> >> >>> >> So
> >>> >> >>>>>> >> >> >> >>> >> I'm
> >>> >> >>>>>> >> >> >> >>> >> not
> >>> >> >>>>>> >> >> >> >>> >> sure
> >>> >> >>>>>> >> >> >> >>> >> what is
> >>> >> >>>>>> >> >> >> >>> >> going on with my configuration/setup of
> >>> >> >>>>>> >> >> >> >>> >> Suricata
> >>> >> >>>>>> >> >> >> >>> >> 4.0.3.
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >> So the only thing that you changed is the
> >>> >> >>>>>> >> >> >> >>> >> upgrade
> >>> >> >>>>>> >> >> >> >>> >> of
> >>> >> >>>>>> >> >> >> >>> >> the
> >>> >> >>>>>> >> >> >> >>> >> Napatech
> >>> >> >>>>>> >> >> >> >>> >> drivers
> >>> >> >>>>>> >> >> >> >>> >> ?
> >>> >> >>>>>> >> >> >> >>> >> The Suricata config stayed the same -  you
> just
> >>> >> >>>>>> >> >> >> >>> >> upgraded to
> >>> >> >>>>>> >> >> >> >>> >> 4.0.3
> >>> >> >>>>>> >> >> >> >>> >> (from
> >>> >> >>>>>> >> >> >> >>> >> 3.1.1) and the observed effect was - after a
> >>> >> >>>>>> >> >> >> >>> >> while
> >>> >> >>>>>> >> >> >> >>> >> all
> >>> >> >>>>>> >> >> >> >>> >> (or
> >>> >> >>>>>> >> >> >> >>> >> most)
> >>> >> >>>>>> >> >> >> >>> >> cpus
> >>> >> >>>>>> >> >> >> >>> >> get
> >>> >> >>>>>> >> >> >> >>> >> pegged at 100% - is that correct ?
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >> On Wed, Jan 10, 2018 at 4:46 PM, Steve
> >>> >> >>>>>> >> >> >> >>> >> Castellarin
> >>> >> >>>>>> >> >> >> >>> >> <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>> Hey Peter, no there is no error messages.
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>> On Jan 10, 2018 4:37 PM, "Peter Manev"
> >>> >> >>>>>> >> >> >> >>> >>> <petermanev at gmail.com>
> >>> >> >>>>>> >> >> >> >>> >>> wrote:
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>> On Wed, Jan 10, 2018 at 11:29 AM, Steve
> >>> >> >>>>>> >> >> >> >>> >>> Castellarin
> >>> >> >>>>>> >> >> >> >>> >>> <steve.castellarin at gmail.com> wrote:
> >>> >> >>>>>> >> >> >> >>> >>> > Hey Peter,
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>> Are there any errors msgs in suricata.log
> when
> >>> >> >>>>>> >> >> >> >>> >>> that
> >>> >> >>>>>> >> >> >> >>> >>> happens
> >>> >> >>>>>> >> >> >> >>> >>> ?
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>> Thank you
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>> --
> >>> >> >>>>>> >> >> >> >>> >>> Regards,
> >>> >> >>>>>> >> >> >> >>> >>> Peter Manev
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>>
> >>> >> >>>>>> >> >> >> >>> >>
> >>> >> >>>>>> >> >> >> >>> >
> >>> >> >>>>>> >> >> >> >>>
> >>> >> >>>>>> >> >> >> >>>
> >>> >> >>>>>> >> >> >> >>>
> >>> >> >>>>>> >> >> >> >>> --
> >>> >> >>>>>> >> >> >> >>> Regards,
> >>> >> >>>>>> >> >> >> >>> Peter Manev
> >>> >> >>>>>> >> >> >> >>
> >>> >> >>>>>> >> >> >> >>
> >>> >> >>>>>> >> >> >> >
> >>> >> >>>>>> >> >> >>
> >>> >> >>>>>> >> >> >>
> >>> >> >>>>>> >> >> >>
> >>> >> >>>>>> >> >> >> --
> >>> >> >>>>>> >> >> >> Regards,
> >>> >> >>>>>> >> >> >> Peter Manev
> >>> >> >>>>>> >> >> >
> >>> >> >>>>>> >> >> >
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >>
> >>> >> >>>>>> >> >> --
> >>> >> >>>>>> >> >> Regards,
> >>> >> >>>>>> >> >> Peter Manev
> >>> >> >>>>>> >> >
> >>> >> >>>>>> >> >
> >>> >> >>>>>> >>
> >>> >> >>>>>> >>
> >>> >> >>>>>> >>
> >>> >> >>>>>> >> --
> >>> >> >>>>>> >> Regards,
> >>> >> >>>>>> >> Peter Manev
> >>> >> >>>>>> >
> >>> >> >>>>>> >
> >>> >> >>>>>>
> >>> >> >>>>>>
> >>> >> >>>>>>
> >>> >> >>>>>> --
> >>> >> >>>>>> Regards,
> >>> >> >>>>>> Peter Manev
> >>> >> >>>>>
> >>> >> >>>>>
> >>> >> >>>>
> >>> >> >>>
> >>> >> >>
> >>> >> >
> >>> >>
> >>> >>
> >>> >>
> >>> >> --
> >>> >> Regards,
> >>> >> Peter Manev
> >>> >
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> Regards,
> >>> Peter Manev
> >>
> >>
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180124/aa20fb50/attachment-0002.html>

More information about the Oisf-users mailing list