[Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support

[Nelson, Cooper]

Ok this is very good info, thanks.

My only experience with the X710 cards is reading the documentation, which is where I first heard about this issue.  My memory is that the cards (or more likely the driver) had an option to “properly” handle fragmented TCP packets and recompute the hash after reassembly, however I haven’t been able to find it again after reviewing the docs.  It’s possible I misread or misremembered it.

-Coop

From: Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: Wednesday, July 3, 2019 12:25 AM
To: Nelson, Cooper <cnelson at ucsd.edu>
Cc: Peter Manev <petermanev at gmail.com>; Cloherty, Sean E <scloherty at mitre.org>; Eric Urban <eurban at umn.edu>; Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support

I will have more observations before the weekend, I've been running Zeek + Suricata at the same busy office, same traffic, on two different sensors
1. nsm1 - hardware hashing with the low-entropy key (keep reading why)
2. nsm2 - software hashing with cluster_flow

I'll dig more into the source code tomorrow but from what I remember

1. The symmetric hash is disabled by default and cannot be enabled with ethtool, without changes to the ethtool Victor proposed them once and they were rejected. Using the low-entropy key was the solution. I might ping Intel again about that.

BTW - we do not know if the symmeric hardware hashing handles fragmented packets correctly, i.e. WHAT is hashed. I'll take a look at the X710 specs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190703/972d29dc/attachment-0001.html>