[Oisf-users] High Suricata capture.kernel_drops

[fatema bannatwala]

Hi,

I am pretty new to Suricata and started to play around with it.
I have Suricata 4.0.4 running on a CentOS7 box, that has 20 cores (40
on-line cpus) and an intel  X710 NIC, and 64GB RAM.

I am using AF_Packet with following settings, with some other mentioned
settings:

# Linux high speed capture support
af-packet:
  - interface: em1
    threads: 24
    cluster-id: 99
    cluster-type: cluster_cpu
    defrag: yes
    use-mmap: yes
    ring-size: 30000

......

max-pending-packets: 10000
runmode: workers
mpm-algo: auto
threading:
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
        cpu: [ "all" ]  # include only these cpus in affinity settings
        mode: "balanced"
        prio:
          default: "low"
    - receive-cpu-set:
        cpu: [ 0 ]  # include only these cpus in affinity settings
    - worker-cpu-set:
        cpu: [ "all" ]
        mode: "exclusive"
        prio:
          low: [ 0 ]
          medium: [ "1-2" ]
          high: [ 3 ]
          default: "medium"

detect-thread-ratio: 1.0


I am monitoring a ~5GBps link and getting high kernel_drop packets seen in
stats.log:
capture.kernel_packets                     | Total                     |
301360376
capture.kernel_drops                       | Total                     |
67468903

Any idea how can I reduce the kernel drop rate of packets? or how can I
check if af_packet threads are working correctly?

I have also disabled the checksuming on the ethernet interface:
# ethtool -K em1 rx off tx off tso off sg off gso off gro off

Any help appreciated.

Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180710/b340f0a9/attachment-0001.html>