[Oisf-users] Optimal settings for NFLOG capture method

[Timo Sigurdsson]

Hi,

I use Suricata 4.1.2 on Debian 10 with the nflog capture method. As I'm currently looking into Suricata's memory consumption, I looked at the nflog configuration options again and wanted to ask how to tweak these best (not in terms of reducing memory consumption but generally). When I first started using Suricata, I have fiddled with the nflog/netlink buffer size option quite a bit, because with the default values I was seeing lots of warnings that the buffer limit was reached and packets were dropped. So, I increased it repeatedly until these warnings went away. (Btw. I also read somewhere that the buffer size should not be smaller than the default receive buffer size in Linux (net.core.rmem_default), which was already higher than Suricata's default on my system.)
But I'm still wondering whether the other settings qthreshold and qtimeout are ideal (I leaft them at their defaults).

My nflog settings in suricata.yaml are these at the moment:
nflog:
  - group: 101
    buffer-size: 16777216
  - group: default
    qthreshold: 1
    qtimeout: 100
    max-size: 134217728


To be honest, I don't really understand how the buffer size and qthreshold and qtimeout work together. My total WAN interface bandwidth is 120MBit/s (up- and downstream combined). So even if 1s needed to be buffered, that would only be 1.5MB. But with a buffer size of 2MB I was still seeing warnings that the buffer limit was reached which surprises me also because I thought with a qthreshold of 1, there wouldn't be much buffering anyway. 

So, can some tell be how to best figure out the ideal setting for the NFLOG capture method? Or how did you tweak it (if you use nflog, obviously)?

Thanks and happy Easter,

Timo