[Oisf-users] High Suricata capture.kernel_drops

Cooper F. Nelson cnelson at ucsd.edu
Fri Jul 13 19:33:21 UTC 2018

 What is your traffic like?  Do you have lots of 'elephant' (big data)

Specifically long running flows of 100+ mbit/sec?

If so and if you have enough memory, increase the size of your ring
buffer.  I set mine to 500000 and packet drops are very low as a result
(< .1 %).   Also, if you have any PerfSonar appliances, drop them on the
tap or interface via a bpf filter.

I've done lots of experimenting and the the flow-bypass feature doesn't
work for non-TCP flows and can be overwhelmed by very high bandwidth TCP
flows, so having large buffers for busy networks is still required.

I've done some experiments and discovered that you can reduce packet
drops by ~50% by doubling the number of sensors/cores or ring-size. 
However, once you get under 1% drops this rapidly becomes a case of
diminishing returns.


On 7/12/2018 7:33 AM, fatema bannatwala wrote:
> Hi Sean,
> Looks like it helped some. Modified the cpu-set settings as you
> mentioned, and now loss is around 4-5% [capture.kernel_packets:
> 685173701, capture.kernel_drops: 8692212 ]
> I will see if I can recompile Suricata with Hyper-Scan and see if the
> kernel_drops reduce to a lower number.
> Thanks!
> Fatema.
> On Thu, Jul 12, 2018 at 9:12 AM, Cloherty, Sean E <scloherty at mitre.org
> <mailto:scloherty at mitre.org>> wrote:
>     So looking at the docs – for runmode workers these are the two
>     affinity settings which you need to concern yourself with – and
>     the worker-cpu set is the critical one. 
>     management-cpu-set-used *for*management (example -flow.managers,
>     flow.recyclers)
>     worker-cpu-set-used
>     *for*receive,streamtcp,decode,detect,output(logging),respond/reject
>     What you want to do is to use that list in node 0 as the ones to
>     use for workers and then pick any two for the management CPU from
>     node one –
>     So

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180713/4e6e6881/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180713/4e6e6881/attachment.sig>

More information about the Oisf-users mailing list