[Oisf-users] High Suricata capture.kernel_drops

Peter Manev petermanev at gmail.com
Mon Jul 16 06:51:58 UTC 2018 

On Thu, Jul 12, 2018 at 6:13 PM, Kerry Milestone
<Kerry.Milestone at ed.ac.uk> wrote:
> How are you forwarding the traffic to the X710 NIC?  Is the upstream tap
> doing something to the traffic?
>
> decoder.max_pkt_size | Total | 15604

You can try setting defrag to "no" here
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L700
and see if you get expected max packet sizes.


>
> Is the traffic you are inspecting ethernet, or some other fabric?
>
>
>> Date:         Wed, 11 Jul 2018 15:02:42 -0400
>> From:         fatema bannatwala <fatema.bannatwala at gmail.com>
>>
>> $ cat /sys/class/net/em1/device/numa_node
>
> I would have thought that you would want the nic p3p[1,2] rather than
> em1 to determine the NUMA node.  em would refer to the intel 1Gb driver,
> not the i40e 10/40Gb driver.
>
> This command is also useful to see what it is doing:
>
> ethtool -S p3p2 | grep rx | grep -v ": 0"
>
> You'll need to download the i40 driver, to get the handy tool
> set_irq_affinity.
>
>
> Double check you are offloading and getting the card ready prior to
> starting suricata, ie:
>
>
> #!/bin/bash
> # run as root...
>
> NIC=p3p2
> RSS=3
>
> ifconfig $NIC down
> ifconfig $NIC up
>
> ethtool -G $NIC rx 512
>
> echo 1 > /proc/sys/net/ipv6/conf/$NIC/disable_ipv6
> ip link set dev $NIC mtu 9216
>
> for i in rx tx tso gso gro \
> tx-nocache-copy sg txvlan rxvlan; \
> do ethtool -K $NIC $i off 2>&1 > /dev/null; done;
>
> ethtool -K $NIC rxhash on
> ethtool -K $NIC ntuple on
>
> ethtool -C $NIC adaptive-rx off
> ethtool -C $NIC rx-usecs 100
>
> ethtool --set-channels $NIC combined $RSS
> ethtool -X $NIC hkey
> 6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A
> equal $RSS
>
> for proto in tcp4 udp4 ah4 esp4 sctp4 tcp6 udp6 ah6 esp6 sctp6; do
>        ethtool -N $NIC rx-flow-hash $proto sdfn
> done
>
> ./set_irq_affinity 1,3,5 $NIC
>
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list