[Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support

Michał Purzyński michalpurzynski1 at gmail.com
Wed Jul 3 23:01:17 UTC 2019


It would be surprising indeed if such a low-memory card could reassemble
entire TCP stream (that's potentially huge). All this card has is a small
buffer, on the order of like 1MB or so, to allow for frames packetization
(lol) to send ethernet framese over PCI-E packets.

Another interesting observation - there have been no packets on the wrong
thread anymore in my X710 setup that hashes only IP src and dst. Again,
this is according to expectations, but it's nice to have a data point that
validates those.



On Wed, Jul 3, 2019 at 10:28 AM Nelson, Cooper <cnelson at ucsd.edu> wrote:

> Ok this is very good info, thanks.
>
>
>
> My only experience with the X710 cards is reading the documentation, which
> is where I first heard about this issue.  My memory is that the cards (or
> more likely the driver) had an option to “properly” handle fragmented TCP
> packets and recompute the hash after reassembly, however I haven’t been
> able to find it again after reviewing the docs.  It’s possible I misread or
> misremembered it.
>
>
>
> -Coop
>
>
>
> *From:* Michał Purzyński <michalpurzynski1 at gmail.com>
> *Sent:* Wednesday, July 3, 2019 12:25 AM
> *To:* Nelson, Cooper <cnelson at ucsd.edu>
> *Cc:* Peter Manev <petermanev at gmail.com>; Cloherty, Sean E <
> scloherty at mitre.org>; Eric Urban <eurban at umn.edu>; Open Information
> Security Foundation <oisf-users at lists.openinfosecfoundation.org>
> *Subject:* Re: [Oisf-users] [EXT] Re: Packet loss and increased resource
> consumption after upgrade to 4.1.2 with Rust support
>
>
>
> I will have more observations before the weekend, I've been running Zeek +
> Suricata at the same busy office, same traffic, on two different sensors
>
> 1. nsm1 - hardware hashing with the low-entropy key (keep reading why)
>
> 2. nsm2 - software hashing with cluster_flow
>
>
>
> I'll dig more into the source code tomorrow but from what I remember
>
>
>
> 1. The symmetric hash is disabled by default and cannot be enabled with
> ethtool, without changes to the ethtool Victor proposed them once and they
> were rejected. Using the low-entropy key was the solution. I might ping
> Intel again about that.
>
>
>
> BTW - we do not know if the symmeric hardware hashing handles fragmented
> packets correctly, i.e. WHAT is hashed. I'll take a look at the X710 specs.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190703/e11ff47d/attachment.html>


More information about the Oisf-users mailing list