[Oisf-users] High Suricata capture.kernel_drops

[Kerry Milestone]

How are you forwarding the traffic to the X710 NIC?  Is the upstream tap
doing something to the traffic?

decoder.max_pkt_size | Total | 15604

Is the traffic you are inspecting ethernet, or some other fabric?


> Date: 	Wed, 11 Jul 2018 15:02:42 -0400
> From: 	fatema bannatwala <fatema.bannatwala at gmail.com>
>
> $ cat /sys/class/net/em1/device/numa_node

I would have thought that you would want the nic p3p[1,2] rather than
em1 to determine the NUMA node.  em would refer to the intel 1Gb driver,
not the i40e 10/40Gb driver.

This command is also useful to see what it is doing:

ethtool -S p3p2 | grep rx | grep -v ": 0"

You'll need to download the i40 driver, to get the handy tool
set_irq_affinity.


Double check you are offloading and getting the card ready prior to
starting suricata, ie:


#!/bin/bash
# run as root...

NIC=p3p2
RSS=3

ifconfig $NIC down
ifconfig $NIC up

ethtool -G $NIC rx 512

echo 1 > /proc/sys/net/ipv6/conf/$NIC/disable_ipv6
ip link set dev $NIC mtu 9216

for i in rx tx tso gso gro \
tx-nocache-copy sg txvlan rxvlan; \
do ethtool -K $NIC $i off 2>&1 > /dev/null; done;

ethtool -K $NIC rxhash on
ethtool -K $NIC ntuple on

ethtool -C $NIC adaptive-rx off
ethtool -C $NIC rx-usecs 100

ethtool --set-channels $NIC combined $RSS
ethtool -X $NIC hkey
6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A
equal $RSS

for proto in tcp4 udp4 ah4 esp4 sctp4 tcp6 udp6 ah6 esp6 sctp6; do
       ethtool -N $NIC rx-flow-hash $proto sdfn
done

./set_irq_affinity 1,3,5 $NIC

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.