Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc
PF_RING 75-88% packet loss (using Suricata)
 

Index | Next | Previous | View Flat


mike.cox52 at gmail

May 3, 2012, 8:28 AM


Views: 1913
Permalink
PF_RING 75-88% packet loss (using Suricata)

This is my first time posting so I apologize if this is a simple
question or has been asked before.

I am seeing 75-88% packet loss on PF_RING, running Suricata Suricata
1.3dev (rev e6dea5c) and PF_RING 5.3.0 on CentOS. Suricata is pegging
all four 1.6 GHz processor cores but the reason I'm posting here is
because it looks like PF_RING is responsible for all the drops.

The suricata.drop log is not showing drops and I'm running Suricata
with the pf_ring options '--pfring-int=eth2 --pfring-cluster-id=99
--pfring-cluster-type=cluster_flow ' and '--runmode=autofp' (I have
also increased pre-allocation, reassembly, and session memory sizes in
Suricata's config).

ifconfig doesn't show the drops (except for some packets that wanted
to be forwarded and 1 checksum error):

# /sbin/ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:1B:78:31:D1:D4
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2340853835 errors:1 dropped:130 overruns:0 frame:1
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2910286855 (2.7 GiB) TX bytes:0 (0.0 b)
Interrupt:185 Memory:f4000000-f4012800

# cat /proc/net/pf_ring/1509-eth2.23
Bound Device(s) : eth2
Slot Version : 13 [5.3.0]
Active : 1
Breed : Non-DNA
Sampling Rate : 1
Capture Direction : RX+TX
Socket Mode : RX+TX
Appl. Name : Suricata
IP Defragment : No
BPF Filtering : Disabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0
Poll Pkt Watermark : 128
Num Poll Calls : 4711762
Channel Id : -1
Cluster Id : 0
Min Num Slots : 4982
Bucket Len : 1522
Slot Len : 1682 [bucket+header]
Tot Memory : 8388608
Tot Packets : 3654955802
Tot Pkt Lost : 2819352763
Tot Insert : 835603039
Tot Read : 835593109
Insert Offset : 6562037
Remove Offset : 6565218
Tot Fwd Ok : 0
Tot Fwd Errors : 0
Num Free Slots : 0

# cat /proc/net/pf_ring/info
PF_RING Version : 5.3.0 ($Revision: exported$)
Ring slots : 4096
Slot version : 13
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes (mode 0)
Total rings : 1
Total plugins : 0

I already increased some memory limits in the OS:

sysctl -w net.core.rmem_max=33554432
sysctl -w net.core.wmem_max=33554432
sysctl -w net.ipv4.tcp_rmem=33554432
sysctl -w net.ipv4.tcp_wmem=33554432
sysctl -w net.core.netdev_max_backlog=5000

RAM usage on the box is less than half of the 3+ GB and eth2 basically
sits off a span port on the switch and sees 40-60 MiB of traffic.

Any idea why PF_RING is dropping so much? Let me know what other info you need.

Thanks.

-Mike Cox
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Subject User Time
PF_RING 75-88% packet loss (using Suricata) mike.cox52 at gmail May 3, 2012, 8:28 AM
    Re: PF_RING 75-88% packet loss (using Suricata) c.d.wakelin at reading May 3, 2012, 8:41 AM
        Re: PF_RING 75-88% packet loss (using Suricata) mike.cox52 at gmail May 3, 2012, 9:26 AM
    Re: PF_RING 75-88% packet loss (using Suricata) c.d.wakelin at reading May 3, 2012, 9:53 AM
        Re: PF_RING 75-88% packet loss (using Suricata) mike.cox52 at gmail May 4, 2012, 9:35 AM

  Index | Next | Previous | View Flat
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.