[Oisf-users] Suricata 4.0.3 with Napatech problems

Peter Manev petermanev at gmail.com
Tue Jan 30 21:06:28 UTC 2018 

On Tue, Jan 30, 2018 at 9:46 PM, Steve Castellarin
<steve.castellarin at gmail.com> wrote:
> It will stay 100% for minutes, etc - until I kill Suricata.  The same goes
> with the associated host buffer - it will continually drop packets.  If I do
> not stop Suricata, eventually a second CPU/host buffer pair will hit that
> 100% mark, and so on.  I've had instances where I've let it go to 8 or 9
> CPU/buffers at 100% before I killed it - hoping that the original CPU(s)
> would recover but they don't.
>

I meant something else.
In previous runs you mentioned that one or more buffers start hitting
100% right after 15 min.
In the two previous test runs - that you tried with 1/2 the ruleset -
how long did it take before you started seeing any buffer hitting 100%
?

> On Tue, Jan 30, 2018 at 3:34 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Tue, Jan 30, 2018 at 8:49 PM, Steve Castellarin
>> <steve.castellarin at gmail.com> wrote:
>> > Hey Peter,
>> >
>> > Unfortunately I continue to have the same issues with a buffer
>> > overflowing
>> > and a CPU staying at 100%, repeating over multiple buffers and CPUs
>> > until I
>> > kill the Suricata process.
>>
>> For what period of time o you get to the 100% ?
>>
>> >
>> > On Thu, Jan 25, 2018 at 9:14 AM, Steve Castellarin
>> > <steve.castellarin at gmail.com> wrote:
>> >>
>> >> OK I'll create a separate bug tracker on Redmine.
>> >>
>> >> I was able to run 4.0.3 with a smaller ruleset (13,971 versus 29,110)
>> >> for
>> >> 90 minutes yesterday, without issue, before I had to leave.  I'm
>> >> getting
>> >> ready to run 4.0.3 again to see how it runs and for how long.  I'll
>> >> update
>> >> with results.
>> >>
>> >> On Thu, Jan 25, 2018 at 9:00 AM, Peter Manev <petermanev at gmail.com>
>> >> wrote:
>> >>>
>> >>> On Wed, Jan 24, 2018 at 6:27 PM, Steve Castellarin
>> >>> <steve.castellarin at gmail.com> wrote:
>> >>> > If a bug/feature report is needed - would that fall into Bug #2423
>> >>> > that
>> >>> > I
>> >>> > opened on Redmine last week?
>> >>> >
>> >>>
>> >>> Separate is probably better.
>> >>>
>> >>> > As for splitting the rules, I'll test that out and let you know what
>> >>> > happens.
>> >>> >
>> >>>
>> >>>
>> >>> --
>> >>> Regards,
>> >>> Peter Manev
>> >>
>> >>
>> >
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list