[Oisf-users] High Suricata capture.kernel_drops

Fri Jul 13 19:45:35 UTC 2018

Looks like you have some memory being allocated during runtime. That will hurt the performance.

We described how to measure how much memory Suricata needs and how to configure. Look at the section “af packet memory consumption calculations” at SEPTun. It also links to an older article with more details.

Ideally, you want to have memory settings in suricata configured so that it won’t allocate anything after it starts.

> On Jul 13, 2018, at 12:33 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> 
>  What is your traffic like?  Do you have lots of 'elephant' (big data) flows?
> 
> Specifically long running flows of 100+ mbit/sec?
> If so and if you have enough memory, increase the size of your ring buffer.  I set mine to 500000 and packet drops are very low as a result (< .1 %).   Also, if you have any PerfSonar appliances, drop them on the tap or interface via a bpf filter. 
> 
> I've done lots of experimenting and the the flow-bypass feature doesn't work for non-TCP flows and can be overwhelmed by very high bandwidth TCP flows, so having large buffers for busy networks is still required. 
> 
> I've done some experiments and discovered that you can reduce packet drops by ~50% by doubling the number of sensors/cores or ring-size.  However, once you get under 1% drops this rapidly becomes a case of diminishing returns. 
> 
> -Coop
> 
>> On 7/12/2018 7:33 AM, fatema bannatwala wrote:
>> Hi Sean,
>> 
>> Looks like it helped some. Modified the cpu-set settings as you mentioned, and now loss is around 4-5% [capture.kernel_packets: 685173701, capture.kernel_drops: 8692212 ]
>> 
>> I will see if I can recompile Suricata with Hyper-Scan and see if the kernel_drops reduce to a lower number.
>> 
>> Thanks!
>> Fatema.
>> 
>> 
>>> On Thu, Jul 12, 2018 at 9:12 AM, Cloherty, Sean E <scloherty at mitre.org> wrote:
>>> So looking at the docs – for runmode workers these are the two affinity settings which you need to concern yourself with – and the worker-cpu set is the critical one.                  
>>> 
>>>  
>>> 
>>> management-cpu-set - used for management (example - flow.managers, flow.recyclers)
>>> 
>>> worker-cpu-set - used for receive,streamtcp,decode,detect,output(logging),respond/reject
>>> 
>>>  
>>> 
>>> What you want to do is to use that list in node 0 as the ones to use for workers and then pick any two for the management CPU from node one –
>>> 
>>>  
>>> 
>>> So
>>> 
> 
> -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180713/ca3cbc1d/attachment-0001.html>