[Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
Nelson, Cooper
cnelson at ucsd.edu
Thu Feb 21 16:19:19 UTC 2019
No guarantee this is what you are seeing, but I had the exact same issue and it was due to our networking folks deploying some of these things on our network:
https://www.perfsonar.net/
They were generating large amounts of jumbo frames up to 64k, which were causing packet drops in the millions when they do a performance test. Filtering them on our Arista solved the problem.
-Coop
-----Original Message-----
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Cloherty, Sean E
Sent: Thursday, February 21, 2019 7:33 AM
To: Peter Manev <petermanev at gmail.com>
Cc: Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
Hello Peter -
I started 4.1.2 yesterdat at 15:41 local time -which mean that I missed the big mid-day volume of traffic. However it still dropped almost 18 million packets. Not over time but in a short burst around 21:00. That behavior is something I have observed since at least as far back as 2016. When Suricata drops packet on any of my tuned systems, it happens in short bursts from one entry in the stats log to the next (5 minutes) and then stop. More info:
*These bursts seem to last no longer than 5-10 minutes and then are stable for hours /days / weeks.
* The numbers dropped. are usually in the millions. In testing on 4.1.2 it went from no drops at startup at 15:41 and then between 22:12 and 22:16 it dropped 17.92 million packets.
* Traffic volume doesn't seem to correlate to packet drops. At the time I fired the 4.1.2. host up, the avg volume was 1.72Gbps with peaks close to 3.1 Gbps. At the time when the 17 million packets dropped, the avg volume was 640 Gbps with peaks around 1.35 Gbps.
In the past I would see a normal linear increase in packet loss over time. Once you helped with tuning, that almost never happened. SEPTun reduced it further. I monitor CPU Use / RAM Use / Interrupts / and Suricata stats via Zabbix so I can do a pretty quick comparison of when the drops happen and what else is going on at the time so I am at a bit of a loss where there seems to be no correlation.
Sean.
More information about the Oisf-users
mailing list