[Oisf-users] Suricata 4.0.3 with Napatech problems
Peter Manev
petermanev at gmail.com
Wed Jan 31 07:25:07 UTC 2018
On Tue, Jan 30, 2018 at 10:07 PM, Steve Castellarin
<steve.castellarin at gmail.com> wrote:
> Oh sorry. In one instance it took 20-25 minutes. Another took an hour. In
> both cases the bandwidth utilization was under 1Gbps.
>
In this case I would suggest to try to narrow it down if possible (and
see if that is the real cause actually) - to a rule file/rule
So maybe if you can take the config that took 1 hr and start from there.
> On Tue, Jan 30, 2018 at 4:06 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Tue, Jan 30, 2018 at 9:46 PM, Steve Castellarin
>> <steve.castellarin at gmail.com> wrote:
>> > It will stay 100% for minutes, etc - until I kill Suricata. The same
>> > goes
>> > with the associated host buffer - it will continually drop packets. If
>> > I do
>> > not stop Suricata, eventually a second CPU/host buffer pair will hit
>> > that
>> > 100% mark, and so on. I've had instances where I've let it go to 8 or 9
>> > CPU/buffers at 100% before I killed it - hoping that the original CPU(s)
>> > would recover but they don't.
>> >
>>
>> I meant something else.
>> In previous runs you mentioned that one or more buffers start hitting
>> 100% right after 15 min.
>> In the two previous test runs - that you tried with 1/2 the ruleset -
>> how long did it take before you started seeing any buffer hitting 100%
>> ?
>>
>> > On Tue, Jan 30, 2018 at 3:34 PM, Peter Manev <petermanev at gmail.com>
>> > wrote:
>> >>
>> >> On Tue, Jan 30, 2018 at 8:49 PM, Steve Castellarin
>> >> <steve.castellarin at gmail.com> wrote:
>> >> > Hey Peter,
>> >> >
>> >> > Unfortunately I continue to have the same issues with a buffer
>> >> > overflowing
>> >> > and a CPU staying at 100%, repeating over multiple buffers and CPUs
>> >> > until I
>> >> > kill the Suricata process.
>> >>
>> >> For what period of time o you get to the 100% ?
>> >>
>> >> >
>> >> > On Thu, Jan 25, 2018 at 9:14 AM, Steve Castellarin
>> >> > <steve.castellarin at gmail.com> wrote:
>> >> >>
>> >> >> OK I'll create a separate bug tracker on Redmine.
>> >> >>
>> >> >> I was able to run 4.0.3 with a smaller ruleset (13,971 versus
>> >> >> 29,110)
>> >> >> for
>> >> >> 90 minutes yesterday, without issue, before I had to leave. I'm
>> >> >> getting
>> >> >> ready to run 4.0.3 again to see how it runs and for how long. I'll
>> >> >> update
>> >> >> with results.
>> >> >>
>> >> >> On Thu, Jan 25, 2018 at 9:00 AM, Peter Manev <petermanev at gmail.com>
>> >> >> wrote:
>> >> >>>
>> >> >>> On Wed, Jan 24, 2018 at 6:27 PM, Steve Castellarin
>> >> >>> <steve.castellarin at gmail.com> wrote:
>> >> >>> > If a bug/feature report is needed - would that fall into Bug
>> >> >>> > #2423
>> >> >>> > that
>> >> >>> > I
>> >> >>> > opened on Redmine last week?
>> >> >>> >
>> >> >>>
>> >> >>> Separate is probably better.
>> >> >>>
>> >> >>> > As for splitting the rules, I'll test that out and let you know
>> >> >>> > what
>> >> >>> > happens.
>> >> >>> >
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>> Regards,
>> >> >>> Peter Manev
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >> Peter Manev
>> >
>> >
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list