[Oisf-users] Inconsistent packet dropped behaviour with the same config on several nodes

Peter Manev petermanev at gmail.com
Tue Sep 11 21:24:43 UTC 2018

On Mon, Sep 10, 2018 at 9:49 AM Magmi A <magmi.sec at gmail.com> wrote:
> Hey suricata users,
> We have a problem with suricata performance. We have several nodes running suricata software on different sites. As a result they are exposed to different kind of traffic, that so far it seems to be problematic to have consistent config.
> Moreover we have an example of two nodes running exactly the same hardware, and same suricata config; they are located at the same site, but exposed to different traffic capture sources.
> * Node1 receives ~ 500Mbps of traffic (it's 1Gbps interface), and gets in average 1-2% kernel packet dropped
> while
> * Node2 receives ~ 500kbps of traffic and gets in average 10% kernel packet dropped

What is different between node 1 and node 2 ? (same config/same
suricata/same HW/same rules...?)

> Capturing the traffic on Node2 with tcpdump and trying to replay it with tcpreplay towards our lab node results in 0% packet loss even with maximum speed.
> After analysing the nature of traffic, there is no big difference in protocol hierarchy between traffic capture at Node1 and Node2. The traffic is almost only TCP and mostly related to SMB.
> Trying to adjust the configuration led to nowhere. And especially with the traffic rate we would expect to have 0% loss.
> Do you have any suggestion, how the best to approach that issue? And where to start troubleshooting?
> Best
> magmi
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

Peter Manev

More information about the Oisf-users mailing list