[Oisf-users] Capture loss ~50% reported using Myricom with Suri v 5.0.2

fatema bannatwala fatema.bannatwala at gmail.com
Fri Jun 19 17:58:39 UTC 2020 

Hello Experts,

Need some help tuning down our prod suricata box running Suricata v 5.0.2
with Myricom NIC: 10G-PCIE-8B-S myri_snf 3.0.20.50894

It is consistently reporting ~50% capture loss, calculated based off of the
capture.kernel_packets and capture.kernel_dropped values reported in
stats.log file.

I have followed the
https://blog.inliniac.net/2012/07/10/suricata-on-myricom-capture-cards/
guide to pin the cpus to the worker nodes and use pcap.buffer_size to
increase the SNF dataring size, but no effect..

We have one Myri card connected to p2p1 and two NUMA nodes, each with 8
cores (16 HT):
NUMA node0 CPU(s):     0-7,16-23
NUMA node1 CPU(s):     8-15,24-31
OS: Centos 7

Any help in the right direction would be appreciated! :)

Thanks!
Fatema

Following is settings from suricata.yml file

# Myricom support

pcap:

  - interface: p2p1

    threads: 14

    buffer-size: 2gb

    checksum-checks: no

pcap-file:

  checksum-checks: auto


threading:

  set-cpu-affinity: yes

  cpu-affinity:

    - management-cpu-set:

        cpu: [ "0" ]

        mode: "balanced"

        prio:

          default: "low"

    - worker-cpu-set:

        cpu: [ "1-7","9-15" ]

        mode: "exclusive"

        prio:

          default: "high"


Following is the currently recorded stats.log:

------------------------------------------------------------------------------------

Date: 6/19/2020 -- 10:55:36 (uptime: 0d, 04h 04m 10s)

------------------------------------------------------------------------------------

Counter                                       | TM Name                   |
Value

------------------------------------------------------------------------------------

capture.kernel_packets                        | Total                     |
28447139411

capture.kernel_drops                          | Total                     |
27910518132

capture.kernel_ifdrops                        | Total                     |
6034

decoder.pkts                                  | Total                     |
536633135



SNF parameters:


SNF_APP_ID=32

SNF_DATARING_SIZE=4096MB

SNF_DESCRING_SIZE=1024MB

SNF_NUM_RINGS=14

SNF_FLAGS=0x1


LD_PRELOAD="/opt/snf/lib/libpcap.so.1"


OPTIONS="--user suricata --group suricata --pcap"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200619/7a4d710d/attachment.html>

More information about the Oisf-users mailing list