[Oisf-users] Inconsistent packet dropped behaviour with the same config on several nodes

[Magmi A]

Hey suricata users,

We have a problem with suricata performance. We have several nodes
running suricata software on different sites. As a result they are
exposed to different kind of traffic, that so far it seems to be
problematic to have consistent config.
Moreover we have an example of two nodes running exactly the same
hardware, and same suricata config; they are located at the same site,
but exposed to different traffic capture sources.

* Node1 receives ~ 500Mbps of traffic (it's 1Gbps interface), and gets
in average 1-2% kernel packet dropped
while
* Node2 receives ~ 500kbps of traffic and gets in average 10% kernel
packet dropped

Capturing the traffic on Node2 with tcpdump and trying to replay it
with tcpreplay towards our lab node results in 0% packet loss even
with maximum speed.
After analysing the nature of traffic, there is no big difference in
protocol hierarchy between traffic capture at Node1 and Node2. The
traffic is almost only TCP and mostly related to SMB.
Trying to adjust the configuration led to nowhere. And especially with
the traffic rate we would expect to have 0% loss.

Do you have any suggestion, how the best to approach that issue? And
where to start troubleshooting?

Best

magmi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180910/9aaf8ee2/attachment.html>