Menu
▾
▴
Re: [Snort-inline-users] snort_inline constantly bad latency
|
From: Roman G. <sl...@sl...> - 2007-04-09 19:41:22
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hallo!
Thank you for your response!
Dave Remien wrote:
> You've run into the "other" "stuck packet issue" with netlink_queues and
> heavy traffic. When you're seeing the 2 sec round trip times, do a "cat
> /proc/net/netfilter/nfnetlink_queue". You'll probably see something like
> this:
>
> 50 5679 1 2 65535 0 34 1155049 90214
>
> The 34 in the 7th column means that there wasn't room on the netlink
> socket's queue for the number of packets you had queued up, so some 34
> were dropped; when that happens, the last packet you received is always in
> the nf queue and doesn't get delivered to snort until the next packet
> arrives, effectively pushing it out. (That's the permanent 1 in the 3rd
> field; under normal circumstances, this will go to 0 a lot of the time).
> In the real world, this is usually in less than a second, but your pings
> are a second apart, and probably go through snort twice, hence the 2
> second timing. Try "watch cat /proc/net/netfilter/nfnetlink_queue".
>
But normaly when load disappears the queue should become empty and
this problem should disappear. right?
And it is not the case here. It stays forever. Even when there is no
load at all.
Here is the output
zaga4:~# cat /proc/net/netfilter/nfnetlink_queue
1 4787 1 2 65535 0 889803 4062359 1
2 4788 1 2 65535 0 672482 3527632 1
Ideas ?
> Couple of things to do:
>
> 1. Make sure you're using the latest/greatest libnfnetlink and
> libnetfilter_queue:
>
> http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-0.0.25.tar.bz2
>
> and
>
> http://www.netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-0.0.13.tar.bz2
>
> They have fixes that help with this; the 2.6.18 kernel has the kernel side
> fixes (added at 2.6.15).
>
> Also, you should increase the amount of memory available for packets on
> your sockets with:
>
> sysctl -w net.core.rmem_default = 8388608
> sysctl -w net.core.rmem_max = 16777216
>
> and last, but not least, set the
>
> #define NFQNL_QMAX_DEFAULT 1024
>
> value in nfnetlink_queue.c (in your kernel tree) to something like 8192
> and rebuild the nfnetlink_queue module. (Harald's defaults are fine if
> you're using a ton of queues and the programs reading/writing them are
> extremely fast, snort_inline doesn't fit that category 8-).
>
> Cheers,
>
> Dave
>
>
I try all the things now, you have suggested!
With best wishes and lots of thanks
Roman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBRhqWYrhQu20hGMIkAQKeZQ/9EQ/6Kc50bKrLfP4xbqAatjTIknX+m639
w/Pffe4ZZtwpyJnwt6KpWyJSmhDBm1FOtduJ9jyqjVj0JcobhhU/APwHRO/F8Qhg
zHqoLBNegQoRFWbMSL9FsafWrAV5pbWPj1jRzD66hLY8GarerQ812emzWEDNEfch
CoM0eG9tONmV3A5MuUVEwjNVrbxT2ggsbPBaqgHIC7YpfskrY0Ew9glFsmjbkZFS
ShrU603+fVr7XwB74J1+3S4qp8QXQxabt9sLyxkhzbejogrTgfJSPRBMS4BFV+4x
jUTDgkbsye70Uuq0qUK4jJ7xxvEuU+IyrkepgUQ+5WDWfbSHEOndCMkUtb9WKkxG
ppjkLfXHskn3ImacxQncl6MwXlPJNZI3NU898o3n3nnsTsIE+/b4kAtKm3VHAGCw
fhbCaSTmsfQs1Ia2/46f3L1RJ5oOttBQFCWSFTMY2XWEBCkx/Nfpl0c7or/8AMI0
bHo7Mo935yn1LgjRQ+glj8TDMMnSWrS58bAW1Zg0j27CqPt9xLGfdV0j90iOQddz
HF6yujbOcnQ/1OD7OX9Zp3VloRhN5wZDAoVqZ30Ybq5ge17WdELaQzUe8jkoK2eb
1mSD0/0kPfE6yfc3q/heCDR+z6HAYFOzMrIy8b+KnnuSRT1ziklhjL7siK1LU+BT
NJao1C7ri7I=
=Kn1+
-----END PGP SIGNATURE-----
|
