[Oisf-users] High Suricata capture.kernel_drops
fatema bannatwala
fatema.bannatwala at gmail.com
Thu Jul 12 14:37:32 UTC 2018
Hi Mike,
As of now following is from the stats.log file:
------------------------------------------------------------------------------------
Date: 7/12/2018 -- 10:36:07 (uptime: 0d, 00h 42m 00s)
------------------------------------------------------------------------------------
Counter | TM Name |
Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total |
799263310
capture.kernel_drops | Total |
9026058
decoder.pkts | Total |
790263391
decoder.bytes | Total |
676508317106
decoder.invalid | Total |
1195
decoder.ipv4 | Total |
790263395
decoder.ipv6 | Total |
48047
decoder.ethernet | Total |
790263391
decoder.tcp | Total |
628832359
decoder.udp | Total |
123066710
decoder.icmpv4 | Total |
1166436
decoder.icmpv6 | Total |
30616
decoder.gre | Total | 4
decoder.teredo | Total |
15176
decoder.avg_pkt_size | Total | 856
decoder.max_pkt_size | Total |
15604
flow.tcp | Total |
8928156
flow.udp | Total |
2513270
flow.icmpv6 | Total |
1898
decoder.icmpv4.ipv4_unknown_ver | Total | 13
decoder.tcp.hlen_too_small | Total | 907
decoder.tcp.opt_invalid_len | Total | 272
decoder.udp.pkt_too_small | Total | 3
tcp.sessions | Total |
7476848
tcp.ssn_memcap_drop | Total |
755957
tcp.pseudo | Total | 146
tcp.invalid_checksum | Total |
25868
tcp.syn | Total |
9252585
tcp.synack | Total |
3002962
tcp.rst | Total |
2109777
tcp.segment_memcap_drop | Total |
239663
tcp.stream_depth_reached | Total |
24785
tcp.reassembly_gap | Total |
169111
tcp.overlap | Total |
520434
tcp.insert_data_normal_fail | Total |
81175273
tcp.insert_data_overlap_fail | Total | 78
detect.alert | Total |
10020
detect.mpm_list | Total | 4
detect.nonmpm_list | Total | 2
detect.fnonmpm_list | Total | 1
detect.match_list | Total | 4
app_layer.flow.http | Total |
4918
app_layer.tx.http | Total |
16709
app_layer.flow.ftp | Total | 1
app_layer.flow.smtp | Total | 54
app_layer.tx.smtp | Total | 105
app_layer.flow.tls | Total |
26584
app_layer.flow.ssh | Total | 11
app_layer.flow.dns_tcp | Total | 229
app_layer.tx.dns_tcp | Total | 212
app_layer.flow.failed_tcp | Total |
13012
app_layer.flow.dcerpc_udp | Total | 54
app_layer.flow.dns_udp | Total |
1446949
app_layer.tx.dns_udp | Total |
177476
app_layer.flow.failed_udp | Total |
1066267
flow_mgr.closed_pruned | Total |
2052437
flow_mgr.new_pruned | Total |
7080586
flow_mgr.est_pruned | Total |
1831390
flow.spare | Total |
10691
flow.emerg_mode_entered | Total | 71
flow.emerg_mode_over | Total | 71
flow.tcp_reuse | Total |
22144
flow_mgr.flows_checked | Total |
88100
flow_mgr.flows_notimeout | Total |
85619
flow_mgr.flows_timeout | Total |
2481
flow_mgr.flows_timeout_inuse | Total | 35
flow_mgr.flows_removed | Total |
2446
flow_mgr.rows_checked | Total |
65536
flow_mgr.rows_skipped | Total |
53175
flow_mgr.rows_empty | Total | 4
flow_mgr.rows_maxlen | Total | 20
tcp.memuse | Total |
66631640
tcp.reassembly_memuse | Total |
268435376
dns.memuse | Total |
17021644
dns.memcap_global | Total |
6500069
http.memuse | Total |
352527
flow.memuse | Total |
121777504
Thanks,
Fatema.
On Thu, Jul 12, 2018 at 3:20 AM, Michał Purzyński <
michalpurzynski1 at gmail.com> wrote:
> Share your Suricata stats please. Nothing will work correctly when memory
> isn’t allocated correctly. Also part of Septun ;)
>
> > On Jul 11, 2018, at 11:43 PM, Peter Manev <petermanev at gmail.com> wrote:
> >
> >> On Thu, Jul 12, 2018 at 9:06 AM, Peter Manev <petermanev at gmail.com>
> wrote:
> >>
> >>
> >> On 11 Jul 2018, at 22:02, fatema bannatwala <
> fatema.bannatwala at gmail.com>
> >> wrote:
> >>
> >> Hi Sean.
> >>
> >> I have two NUMA nodes, and Node 0 is the NICs NUMA node:
> >>
> >> NUMA node0 CPU(s):
> >> 0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38
> >> NUMA node1 CPU(s):
> >> 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39
> >>
> >> $ cat /sys/class/net/em1/device/numa_node
> >> 0
> >>
> >> So does that mean that I can assign only threads from NUMA node0 to the
> >> management-cpu-set and worker-cpu-set, as it's the NICs NUMA node?
> >>
> >>
> >>
> >> There are two ways you can go by here (the way I see it) but I think the
> >> easiest from administrative point (to at least try out fast) might be to
> >> just use numactl (including membind if needed) to make sure Suri is
> using
> >> the NICs local NUMA
> >>
> >> I am not able to figure out from Septun doc that what threads/cores
> would be
> >> pinned to which set in cpu-affinity, as you suggested earlier, hence
> went
> >> with "all" in worker and cpu sets by default.
> >>
> >> I will try to update the drivers for the NICs next.
> >>
> >>
> >> That is always recommended !
> >>
> >> As for HS, I didn't know about it before, and now that I have already
> >> compiled Suricata from source, and do $suricata --buil-info, if shows
> >> "Hyperscan support: no".
> >> Hence assuming that I have to recompile suricata again to get that
> enabled,
> >> which I would not like to do as of now.
> >>
> >>
> >> There is an example here of how to compile Hyperscan on Ubuntu from the
> >> docs-
> >> https://suricata.readthedocs.io/en/latest/performance/
> hyperscan.html?highlight=Hyperscan
> >>
> >> Thanks
> >>
> >
> >
> > Since we are on the subject - this example should get you the latest
> > Suricata with hyperscan (you may want to update the boost version
> > though ) on RedHat/CentOS-
> > https://pastebin.com/iSKK53Dw
> >
> > Hope it helps!
> >
> >>
> >> Thanks,
> >> Fatema.
> >>
> >>
> >>
> >>
> >> On Wed, Jul 11, 2018 at 2:19 PM, Cloherty, Sean E <scloherty at mitre.org>
> >> wrote:
> >>>
> >>> First get the NUMA node for the CPUs – lscpu should provide that in the
> >>> last two lines of the output.
> >>>
> >>>
> >>>
> >>> Find your NICs NUMA node 1st and go from there for affinity settings
> cat
> >>> /sys/class/net/em1/device/numa_node
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Update the drivers for the NIC -
> >>> https://downloadcenter.intel.com/download/24411/Intel-
> Network-Adapter-Driver-for-PCIe-40-Gigabit-Ethernet-
> Network-Connections-Under-Linux-?product=82947
> >>>
> >>>
> >>>
> >>> (Just remember that you will need to repeat this after any kernel
> updates)
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> From: fatema bannatwala [mailto:fatema.bannatwala at gmail.com]
> >>> Sent: Wednesday, July 11, 2018 13:55 PM
> >>> To: Cloherty, Sean E <scloherty at mitre.org>
> >>> Cc: oisf-users at lists.openinfosecfoundation.org
> >>> Subject: Re: [Oisf-users] High Suricata capture.kernel_drops
> >>>
> >>>
> >>>
> >>> Hi Sean,
> >>>
> >>>
> >>>
> >>> Thanks for some quick points and recommendations.
> >>>
> >>> I will work through those, and see if it helps.
> >>>
> >>>
> >>>
> >>> The documentation refers the tuning assuming two NICs p1p1 and p1p3,
> which
> >>> was getting me confused, as I only have single NIC with 20 cores and 40
> >>> online threads, so was struggling to set the config options right in
> the
> >>> yaml file for cpu_affinity. I will try the hard coded method instead
> of all
> >>> and see if it helps.
> >>>
> >>>
> >>>
> >>> Fatema.
> >>
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> >> List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >>
> >> Conference: https://suricon.net
> >> Trainings: https://suricata-ids.org/training/
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180712/b527df9a/attachment-0001.html>
More information about the Oisf-users
mailing list