High Suricata Packet Loss #12329

technox123 · 2024-02-08T15:10:33Z

technox123
Feb 8, 2024

Version

2.4.40

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

6

RAM

64

Storage for /

500gb

Storage for /nsm

1tb

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi all, back for round two!

I managed to get Security Onion running on Alma Linux 9.3 (I thought it was fine). However, I came across a really weird problem, which led to me install it via the officially supported ISO. But the exact same thing happens even after the ISO installation.

Suricata after around ~10-20 minutes starts losing packets, and then it caps out at 50% on the influxDB dashboard. As can be seen here:

The only way to fix this is via a container restart. But then the same thing happens again.

Looking at the monitoring interface status on InfluxDB you can also see that none are showing as dropped there.

I then checked the stats.log of Suricata and below is the output:

Date: 2/8/2024 -- 14:21:36 (uptime: 0d, 01h 51m 34s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                        | Total                     | 34874140
capture.kernel_drops                          | Total                     | 22222913
capture.errors                                | Total                     | 0
capture.afpacket.busy_loop_avg                | Total                     | 0
capture.afpacket.polls                        | Total                     | 6820688287
capture.afpacket.poll_signal                  | Total                     | 0
capture.afpacket.poll_timeout                 | Total                     | 303892
capture.afpacket.poll_data                    | Total                     | 6820384395
capture.afpacket.poll_errors                  | Total                     | 0
capture.afpacket.send_errors                  | Total                     | 0
decoder.pkts                                  | Total                     | 6578020
decoder.bytes                                 | Total                     | 6106893153
decoder.invalid                               | Total                     | 0
decoder.ipv4                                  | Total                     | 6430295
decoder.ipv6                                  | Total                     | 131551
decoder.ethernet                              | Total                     | 6578020
decoder.arp                                   | Total                     | 8366
decoder.unknown_ethertype                     | Total                     | 7808
decoder.chdlc                                 | Total                     | 0
decoder.raw                                   | Total                     | 0
decoder.null                                  | Total                     | 0
decoder.sll                                   | Total                     | 0
decoder.tcp                                   | Total                     | 6085502
tcp.syn                                       | Total                     | 122152
tcp.synack                                    | Total                     | 122814
tcp.rst                                       | Total                     | 6988
decoder.udp                                   | Total                     | 466238
decoder.sctp                                  | Total                     | 0
decoder.esp                                   | Total                     | 0
decoder.icmpv4                                | Total                     | 5674
decoder.icmpv6                                | Total                     | 4432
decoder.ppp                                   | Total                     | 0
decoder.pppoe                                 | Total                     | 0
decoder.geneve                                | Total                     | 0
decoder.gre                                   | Total                     | 0
decoder.vlan                                  | Total                     | 0
decoder.vlan_qinq                             | Total                     | 0
decoder.vlan_qinqinq                          | Total                     | 0
decoder.vxlan                                 | Total                     | 0
decoder.vntag                                 | Total                     | 0
decoder.ieee8021ah                            | Total                     | 0
decoder.teredo                                | Total                     | 0
decoder.ipv4_in_ipv6                          | Total                     | 0
decoder.ipv6_in_ipv6                          | Total                     | 0
decoder.mpls                                  | Total                     | 0
decoder.avg_pkt_size                          | Total                     | 928
decoder.max_pkt_size                          | Total                     | 1514
decoder.max_mac_addrs_src                     | Total                     | 0
decoder.max_mac_addrs_dst                     | Total                     | 0
decoder.erspan                                | Total                     | 0
decoder.nsh                                   | Total                     | 0
flow.memcap                                   | Total                     | 0
tcp.active_sessions                           | Total                     | 0
flow.total                                    | Total                     | 83460
flow.active                                   | Total                     | 0
flow.tcp                                      | Total                     | 62627
flow.udp                                      | Total                     | 20702
flow.icmpv4                                   | Total                     | 4
flow.icmpv6                                   | Total                     | 127
flow.tcp_reuse                                | Total                     | 187
flow.get_used                                 | Total                     | 0
flow.get_used_eval                            | Total                     | 0
flow.get_used_eval_reject                     | Total                     | 0
flow.get_used_eval_busy                       | Total                     | 0
flow.get_used_failed                          | Total                     | 0
flow.wrk.spare_sync_avg                       | Total                     | 94
flow.wrk.spare_sync                           | Total                     | 408
flow.wrk.spare_sync_incomplete                | Total                     | 220
flow.wrk.spare_sync_empty                     | Total                     | 0
defrag.ipv4.fragments                         | Total                     | 0
defrag.ipv4.reassembled                       | Total                     | 0
defrag.ipv6.fragments                         | Total                     | 0
defrag.ipv6.reassembled                       | Total                     | 0
defrag.max_frag_hits                          | Total                     | 0
decoder.event.ipv4.pkt_too_small              | Total                     | 0
decoder.event.ipv4.hlen_too_small             | Total                     | 0
decoder.event.ipv4.iplen_smaller_than_hlen    | Total                     | 0
decoder.event.ipv4.trunc_pkt                  | Total                     | 0
decoder.event.ipv4.opt_invalid                | Total                     | 0
decoder.event.ipv4.opt_invalid_len            | Total                     | 0
decoder.event.ipv4.opt_malformed              | Total                     | 0
decoder.event.ipv4.opt_pad_required           | Total                     | 0
decoder.event.ipv4.opt_eol_required           | Total                     | 0
decoder.event.ipv4.opt_duplicate              | Total                     | 0
decoder.event.ipv4.opt_unknown                | Total                     | 0
decoder.event.ipv4.wrong_ip_version           | Total                     | 0
decoder.event.ipv4.icmpv6                     | Total                     | 0
decoder.event.icmpv4.pkt_too_small            | Total                     | 0
decoder.event.icmpv4.unknown_type             | Total                     | 0
decoder.event.icmpv4.unknown_code             | Total                     | 0
decoder.event.icmpv4.ipv4_trunc_pkt           | Total                     | 0
decoder.event.icmpv4.ipv4_unknown_ver         | Total                     | 0
decoder.event.icmpv6.unknown_type             | Total                     | 0
decoder.event.icmpv6.unknown_code             | Total                     | 0
decoder.event.icmpv6.pkt_too_small            | Total                     | 0
decoder.event.icmpv6.ipv6_unknown_version     | Total                     | 0
decoder.event.icmpv6.ipv6_trunc_pkt           | Total                     | 0
decoder.event.icmpv6.mld_message_with_invalid_hl | Total                     | 0
decoder.event.icmpv6.unassigned_type          | Total                     | 0
decoder.event.icmpv6.experimentation_type     | Total                     | 0
decoder.event.ipv6.pkt_too_small              | Total                     | 0
decoder.event.ipv6.trunc_pkt                  | Total                     | 0
decoder.event.ipv6.trunc_exthdr               | Total                     | 0
decoder.event.ipv6.exthdr_dupl_fh             | Total                     | 0
decoder.event.ipv6.exthdr_useless_fh          | Total                     | 0
decoder.event.ipv6.exthdr_dupl_rh             | Total                     | 0
decoder.event.ipv6.exthdr_dupl_hh             | Total                     | 0
decoder.event.ipv6.exthdr_dupl_dh             | Total                     | 0
decoder.event.ipv6.exthdr_dupl_ah             | Total                     | 0
decoder.event.ipv6.exthdr_dupl_eh             | Total                     | 0
decoder.event.ipv6.exthdr_invalid_optlen      | Total                     | 0
decoder.event.ipv6.wrong_ip_version           | Total                     | 0
decoder.event.ipv6.exthdr_ah_res_not_null     | Total                     | 0
decoder.event.ipv6.hopopts_unknown_opt        | Total                     | 0
decoder.event.ipv6.hopopts_only_padding       | Total                     | 0
decoder.event.ipv6.dstopts_unknown_opt        | Total                     | 0
decoder.event.ipv6.dstopts_only_padding       | Total                     | 0
decoder.event.ipv6.rh_type_0                  | Total                     | 0
decoder.event.ipv6.zero_len_padn              | Total                     | 518
decoder.event.ipv6.fh_non_zero_reserved_field | Total                     | 0
decoder.event.ipv6.data_after_none_header     | Total                     | 0
decoder.event.ipv6.unknown_next_header        | Total                     | 0
decoder.event.ipv6.icmpv4                     | Total                     | 0
decoder.event.tcp.pkt_too_small               | Total                     | 0
decoder.event.tcp.hlen_too_small              | Total                     | 0
decoder.event.tcp.invalid_optlen              | Total                     | 0
decoder.event.tcp.opt_invalid_len             | Total                     | 0
decoder.event.tcp.opt_duplicate               | Total                     | 0
decoder.event.udp.pkt_too_small               | Total                     | 0
decoder.event.udp.hlen_too_small              | Total                     | 0
decoder.event.udp.hlen_invalid                | Total                     | 0
decoder.event.udp.len_invalid                 | Total                     | 0
decoder.event.sll.pkt_too_small               | Total                     | 0
decoder.event.ethernet.pkt_too_small          | Total                     | 0
decoder.event.ppp.pkt_too_small               | Total                     | 0
decoder.event.ppp.vju_pkt_too_small           | Total                     | 0
decoder.event.ppp.ip4_pkt_too_small           | Total                     | 0
decoder.event.ppp.ip6_pkt_too_small           | Total                     | 0
decoder.event.ppp.wrong_type                  | Total                     | 0
decoder.event.ppp.unsup_proto                 | Total                     | 0
decoder.event.pppoe.pkt_too_small             | Total                     | 0
decoder.event.pppoe.wrong_code                | Total                     | 0
decoder.event.pppoe.malformed_tags            | Total                     | 0
decoder.event.gre.pkt_too_small               | Total                     | 0
decoder.event.gre.wrong_version               | Total                     | 0
decoder.event.gre.version0_recur              | Total                     | 0
decoder.event.gre.version0_flags              | Total                     | 0
decoder.event.gre.version0_hdr_too_big        | Total                     | 0
decoder.event.gre.version0_malformed_sre_hdr  | Total                     | 0
decoder.event.gre.version1_chksum             | Total                     | 0
decoder.event.gre.version1_route              | Total                     | 0
decoder.event.gre.version1_ssr                | Total                     | 0
decoder.event.gre.version1_recur              | Total                     | 0
decoder.event.gre.version1_flags              | Total                     | 0
decoder.event.gre.version1_no_key             | Total                     | 0
decoder.event.gre.version1_wrong_protocol     | Total                     | 0
decoder.event.gre.version1_malformed_sre_hdr  | Total                     | 0
decoder.event.gre.version1_hdr_too_big        | Total                     | 0
decoder.event.vlan.header_too_small           | Total                     | 0
decoder.event.vlan.unknown_type               | Total                     | 0
decoder.event.vlan.too_many_layers            | Total                     | 0
decoder.event.ieee8021ah.header_too_small     | Total                     | 0
decoder.event.vntag.header_too_small          | Total                     | 0
decoder.event.vntag.unknown_type              | Total                     | 0
decoder.event.ipraw.invalid_ip_version        | Total                     | 0
decoder.event.ltnull.pkt_too_small            | Total                     | 0
decoder.event.ltnull.unsupported_type         | Total                     | 0
decoder.event.sctp.pkt_too_small              | Total                     | 0
decoder.event.esp.pkt_too_small               | Total                     | 0
decoder.event.ipv4.frag_pkt_too_large         | Total                     | 0
decoder.event.ipv6.frag_pkt_too_large         | Total                     | 0
decoder.event.ipv4.frag_overlap               | Total                     | 0
decoder.event.ipv6.frag_overlap               | Total                     | 0
decoder.event.ipv6.frag_invalid_length        | Total                     | 0
decoder.event.ipv4.frag_ignored               | Total                     | 0
decoder.event.ipv6.frag_ignored               | Total                     | 0
decoder.event.ipv6.ipv4_in_ipv6_too_small     | Total                     | 0
decoder.event.ipv6.ipv4_in_ipv6_wrong_version | Total                     | 0
decoder.event.ipv6.ipv6_in_ipv6_too_small     | Total                     | 0
decoder.event.ipv6.ipv6_in_ipv6_wrong_version | Total                     | 0
decoder.event.mpls.header_too_small           | Total                     | 0
decoder.event.mpls.pkt_too_small              | Total                     | 0
decoder.event.mpls.bad_label_router_alert     | Total                     | 0
decoder.event.mpls.bad_label_implicit_null    | Total                     | 0
decoder.event.mpls.bad_label_reserved         | Total                     | 0
decoder.event.mpls.unknown_payload_type       | Total                     | 0
decoder.event.vxlan.unknown_payload_type      | Total                     | 0
decoder.event.geneve.unknown_payload_type     | Total                     | 0
decoder.event.erspan.header_too_small         | Total                     | 0
decoder.event.erspan.unsupported_version      | Total                     | 0
decoder.event.erspan.too_many_vlan_layers     | Total                     | 0
decoder.event.dce.pkt_too_small               | Total                     | 0
decoder.event.chdlc.pkt_too_small             | Total                     | 0
decoder.event.nsh.header_too_small            | Total                     | 0
decoder.event.nsh.unsupported_version         | Total                     | 0
decoder.event.nsh.bad_header_length           | Total                     | 0
decoder.event.nsh.reserved_type               | Total                     | 0
decoder.event.nsh.unsupported_type            | Total                     | 0
decoder.event.nsh.unknown_payload             | Total                     | 0
decoder.too_many_layers                       | Total                     | 0
flow_bypassed.local_pkts                      | Total                     | 0
flow_bypassed.local_bytes                     | Total                     | 0
flow_bypassed.local_capture_pkts              | Total                     | 0
flow_bypassed.local_capture_bytes             | Total                     | 0
flow.wrk.flows_evicted_needs_work             | Total                     | 49218
flow.wrk.flows_evicted_pkt_inject             | Total                     | 52387
flow.wrk.flows_evicted                        | Total                     | 41189
flow.wrk.flows_injected                       | Total                     | 49147
flow.wrk.flows_injected_max                   | Total                     | 31
tcp.sessions                                  | Total                     | 61396
tcp.ssn_memcap_drop                           | Total                     | 0
tcp.ssn_from_cache                            | Total                     | 40656
tcp.ssn_from_pool                             | Total                     | 20740
tcp.pseudo                                    | Total                     | 0
tcp.pseudo_failed                             | Total                     | 0
tcp.invalid_checksum                          | Total                     | 0
tcp.midstream_pickups                         | Total                     | 0
tcp.pkt_on_wrong_thread                       | Total                     | 0
tcp.ack_unseen_data                           | Total                     | 191609
tcp.segment_memcap_drop                       | Total                     | 0
tcp.segment_from_cache                        | Total                     | 875975
tcp.segment_from_pool                         | Total                     | 18165
tcp.stream_depth_reached                      | Total                     | 63
tcp.reassembly_gap                            | Total                     | 2866
tcp.overlap                                   | Total                     | 441219
tcp.overlap_diff_data                         | Total                     | 0
tcp.insert_data_normal_fail                   | Total                     | 0
tcp.insert_data_overlap_fail                  | Total                     | 0
detect.alert                                  | Total                     | 6577
detect.alert_queue_overflow                   | Total                     | 3
detect.alerts_suppressed                      | Total                     | 4923
app_layer.flow.http                           | Total                     | 12029
app_layer.tx.http                             | Total                     | 12917
app_layer.error.http.gap                      | Total                     | 0
app_layer.error.http.alloc                    | Total                     | 0
app_layer.error.http.parser                   | Total                     | 0
app_layer.error.http.internal                 | Total                     | 0
app_layer.flow.ftp                            | Total                     | 0
app_layer.tx.ftp                              | Total                     | 0
app_layer.error.ftp.gap                       | Total                     | 0
app_layer.error.ftp.alloc                     | Total                     | 0
app_layer.error.ftp.parser                    | Total                     | 0
app_layer.error.ftp.internal                  | Total                     | 0
app_layer.flow.smtp                           | Total                     | 0
app_layer.tx.smtp                             | Total                     | 0
app_layer.error.smtp.gap                      | Total                     | 0
app_layer.error.smtp.alloc                    | Total                     | 0
app_layer.error.smtp.parser                   | Total                     | 0
app_layer.error.smtp.internal                 | Total                     | 0
app_layer.flow.tls                            | Total                     | 48233
app_layer.tx.tls                              | Total                     | 0
app_layer.error.tls.gap                       | Total                     | 1281
app_layer.error.tls.alloc                     | Total                     | 0
app_layer.error.tls.parser                    | Total                     | 51
app_layer.error.tls.internal                  | Total                     | 0
app_layer.flow.ssh                            | Total                     | 219
app_layer.tx.ssh                              | Total                     | 0
app_layer.error.ssh.gap                       | Total                     | 11
app_layer.error.ssh.alloc                     | Total                     | 0
app_layer.error.ssh.parser                    | Total                     | 0
app_layer.error.ssh.internal                  | Total                     | 0
app_layer.flow.imap                           | Total                     | 0
app_layer.tx.imap                             | Total                     | 0
app_layer.error.imap.gap                      | Total                     | 0
app_layer.error.imap.alloc                    | Total                     | 0
app_layer.error.imap.parser                   | Total                     | 0
app_layer.error.imap.internal                 | Total                     | 0
app_layer.flow.smb                            | Total                     | 0
app_layer.tx.smb                              | Total                     | 0
app_layer.error.smb.gap                       | Total                     | 0
app_layer.error.smb.alloc                     | Total                     | 0
app_layer.error.smb.parser                    | Total                     | 0
app_layer.error.smb.internal                  | Total                     | 0
app_layer.flow.dcerpc_tcp                     | Total                     | 0
app_layer.tx.dcerpc_tcp                       | Total                     | 0
app_layer.error.dcerpc_tcp.gap                | Total                     | 0
app_layer.error.dcerpc_tcp.alloc              | Total                     | 0
app_layer.error.dcerpc_tcp.parser             | Total                     | 0
app_layer.error.dcerpc_tcp.internal           | Total                     | 0
app_layer.flow.dns_tcp                        | Total                     | 1
app_layer.tx.dns_tcp                          | Total                     | 2
app_layer.error.dns_tcp.gap                   | Total                     | 0
app_layer.error.dns_tcp.alloc                 | Total                     | 0
app_layer.error.dns_tcp.parser                | Total                     | 0
app_layer.error.dns_tcp.internal              | Total                     | 0
app_layer.flow.modbus                         | Total                     | 0
app_layer.tx.modbus                           | Total                     | 0
app_layer.error.modbus.gap                    | Total                     | 0
app_layer.error.modbus.alloc                  | Total                     | 0
app_layer.error.modbus.parser                 | Total                     | 0
app_layer.error.modbus.internal               | Total                     | 0
app_layer.flow.enip_tcp                       | Total                     | 0
app_layer.tx.enip_tcp                         | Total                     | 0
app_layer.error.enip_tcp.gap                  | Total                     | 0
app_layer.error.enip_tcp.alloc                | Total                     | 0
app_layer.error.enip_tcp.parser               | Total                     | 0
app_layer.error.enip_tcp.internal             | Total                     | 0
app_layer.flow.dnp3                           | Total                     | 0
app_layer.tx.dnp3                             | Total                     | 0
app_layer.error.dnp3.gap                      | Total                     | 0
app_layer.error.dnp3.alloc                    | Total                     | 0
app_layer.error.dnp3.parser                   | Total                     | 0
app_layer.error.dnp3.internal                 | Total                     | 0
app_layer.flow.nfs_tcp                        | Total                     | 0
app_layer.tx.nfs_tcp                          | Total                     | 0
app_layer.error.nfs_tcp.gap                   | Total                     | 0
app_layer.error.nfs_tcp.alloc                 | Total                     | 0
app_layer.error.nfs_tcp.parser                | Total                     | 0
app_layer.error.nfs_tcp.internal              | Total                     | 0
app_layer.flow.ntp                            | Total                     | 141
app_layer.tx.ntp                              | Total                     | 298
app_layer.error.ntp.gap                       | Total                     | 0
app_layer.error.ntp.alloc                     | Total                     | 0
app_layer.error.ntp.parser                    | Total                     | 0
app_layer.error.ntp.internal                  | Total                     | 0
app_layer.flow.ftp-data                       | Total                     | 0
app_layer.tx.ftp-data                         | Total                     | 0
app_layer.error.ftp-data.gap                  | Total                     | 0
app_layer.error.ftp-data.alloc                | Total                     | 0
app_layer.error.ftp-data.parser               | Total                     | 0
app_layer.error.ftp-data.internal             | Total                     | 0
app_layer.flow.tftp                           | Total                     | 0
app_layer.tx.tftp                             | Total                     | 0
app_layer.error.tftp.gap                      | Total                     | 0
app_layer.error.tftp.alloc                    | Total                     | 0
app_layer.error.tftp.parser                   | Total                     | 0
app_layer.error.tftp.internal                 | Total                     | 0
app_layer.flow.ike                            | Total                     | 3
app_layer.tx.ike                              | Total                     | 40
app_layer.error.ike.gap                       | Total                     | 0
app_layer.error.ike.alloc                     | Total                     | 0
app_layer.error.ike.parser                    | Total                     | 0
app_layer.error.ike.internal                  | Total                     | 0
app_layer.flow.krb5_tcp                       | Total                     | 0
app_layer.tx.krb5_tcp                         | Total                     | 0
app_layer.error.krb5_tcp.gap                  | Total                     | 0
app_layer.error.krb5_tcp.alloc                | Total                     | 0
app_layer.error.krb5_tcp.parser               | Total                     | 0
app_layer.error.krb5_tcp.internal             | Total                     | 0
app_layer.flow.quic                           | Total                     | 354
app_layer.tx.quic                             | Total                     | 376
app_layer.error.quic.gap                      | Total                     | 0
app_layer.error.quic.alloc                    | Total                     | 0
app_layer.error.quic.parser                   | Total                     | 0
app_layer.error.quic.internal                 | Total                     | 0
app_layer.flow.dhcp                           | Total                     | 4
app_layer.tx.dhcp                             | Total                     | 256
app_layer.error.dhcp.gap                      | Total                     | 0
app_layer.error.dhcp.alloc                    | Total                     | 0
app_layer.error.dhcp.parser                   | Total                     | 0
app_layer.error.dhcp.internal                 | Total                     | 0
app_layer.flow.snmp                           | Total                     | 0
app_layer.tx.snmp                             | Total                     | 0
app_layer.error.snmp.gap                      | Total                     | 0
app_layer.error.snmp.alloc                    | Total                     | 0
app_layer.error.snmp.parser                   | Total                     | 0
app_layer.error.snmp.internal                 | Total                     | 0
app_layer.flow.sip                            | Total                     | 0
app_layer.tx.sip                              | Total                     | 0
app_layer.error.sip.gap                       | Total                     | 0
app_layer.error.sip.alloc                     | Total                     | 0
app_layer.error.sip.parser                    | Total                     | 0
app_layer.error.sip.internal                  | Total                     | 0
app_layer.flow.rfb                            | Total                     | 0
app_layer.tx.rfb                              | Total                     | 0
app_layer.error.rfb.gap                       | Total                     | 0
app_layer.error.rfb.alloc                     | Total                     | 0
app_layer.error.rfb.parser                    | Total                     | 0
app_layer.error.rfb.internal                  | Total                     | 0
app_layer.flow.pgsql                          | Total                     | 0
app_layer.tx.pgsql                            | Total                     | 0
app_layer.error.pgsql.gap                     | Total                     | 0
app_layer.error.pgsql.alloc                   | Total                     | 0
app_layer.error.pgsql.parser                  | Total                     | 0
app_layer.error.pgsql.internal                | Total                     | 0
app_layer.flow.telnet                         | Total                     | 0
app_layer.tx.telnet                           | Total                     | 0
app_layer.error.telnet.gap                    | Total                     | 0
app_layer.error.telnet.alloc                  | Total                     | 0
app_layer.error.telnet.parser                 | Total                     | 0
app_layer.error.telnet.internal               | Total                     | 0
app_layer.flow.rdp                            | Total                     | 0
app_layer.tx.rdp                              | Total                     | 0
app_layer.error.rdp.gap                       | Total                     | 0
app_layer.error.rdp.alloc                     | Total                     | 0
app_layer.error.rdp.parser                    | Total                     | 0
app_layer.error.rdp.internal                  | Total                     | 0
app_layer.flow.http2                          | Total                     | 0
app_layer.tx.http2                            | Total                     | 0
app_layer.error.http2.gap                     | Total                     | 0
app_layer.error.http2.alloc                   | Total                     | 0
app_layer.error.http2.parser                  | Total                     | 0
app_layer.error.http2.internal                | Total                     | 0
app_layer.flow.bittorrent-dht                 | Total                     | 0
app_layer.tx.bittorrent-dht                   | Total                     | 0
app_layer.error.bittorrent-dht.gap            | Total                     | 0
app_layer.error.bittorrent-dht.alloc          | Total                     | 0
app_layer.error.bittorrent-dht.parser         | Total                     | 0
app_layer.error.bittorrent-dht.internal       | Total                     | 0
app_layer.flow.failed_tcp                     | Total                     | 228
app_layer.error.failed_tcp.gap                | Total                     | 0
app_layer.flow.dcerpc_udp                     | Total                     | 0
app_layer.tx.dcerpc_udp                       | Total                     | 0
app_layer.error.dcerpc_udp.alloc              | Total                     | 0
app_layer.error.dcerpc_udp.parser             | Total                     | 0
app_layer.error.dcerpc_udp.internal           | Total                     | 0
app_layer.flow.dns_udp                        | Total                     | 17717
app_layer.tx.dns_udp                          | Total                     | 72415
app_layer.error.dns_udp.alloc                 | Total                     | 0
app_layer.error.dns_udp.parser                | Total                     | 0
app_layer.error.dns_udp.internal              | Total                     | 0
app_layer.flow.enip_udp                       | Total                     | 0
app_layer.tx.enip_udp                         | Total                     | 0
app_layer.error.enip_udp.alloc                | Total                     | 0
app_layer.error.enip_udp.parser               | Total                     | 0
app_layer.error.enip_udp.internal             | Total                     | 0
app_layer.flow.nfs_udp                        | Total                     | 0
app_layer.tx.nfs_udp                          | Total                     | 0
app_layer.error.nfs_udp.alloc                 | Total                     | 0
app_layer.error.nfs_udp.parser                | Total                     | 0
app_layer.error.nfs_udp.internal              | Total                     | 0
app_layer.flow.krb5_udp                       | Total                     | 0
app_layer.tx.krb5_udp                         | Total                     | 0
app_layer.error.krb5_udp.alloc                | Total                     | 0
app_layer.error.krb5_udp.parser               | Total                     | 0
app_layer.error.krb5_udp.internal             | Total                     | 0
app_layer.flow.failed_udp                     | Total                     | 2483
flow.end.state.new                            | Total                     | 4851
flow.end.state.established                    | Total                     | 19163
flow.end.state.closed                         | Total                     | 59446
flow.end.state.local_bypassed                 | Total                     | 0
flow.end.tcp_state.none                       | Total                     | 0
flow.end.tcp_state.syn_sent                   | Total                     | 471
flow.end.tcp_state.syn_recv                   | Total                     | 6
flow.end.tcp_state.established                | Total                     | 499
flow.end.tcp_state.fin_wait1                  | Total                     | 31
flow.end.tcp_state.fin_wait2                  | Total                     | 157
flow.end.tcp_state.time_wait                  | Total                     | 445
flow.end.tcp_state.last_ack                   | Total                     | 135
flow.end.tcp_state.close_wait                 | Total                     | 786
flow.end.tcp_state.closing                    | Total                     | 0
flow.end.tcp_state.closed                     | Total                     | 58866
flow.end.tcp_liberal                          | Total                     | 1403
flow.mgr.full_hash_pass                       | Total                     | 671
flow.mgr.rows_per_sec                         | Total                     | 6553
flow.spare                                    | Total                     | 11060
flow.emerg_mode_entered                       | Total                     | 0
flow.emerg_mode_over                          | Total                     | 0
flow.mgr.rows_maxlen                          | Total                     | 5
flow.mgr.flows_checked                        | Total                     | 218340
flow.mgr.flows_notimeout                      | Total                     | 135709
flow.mgr.flows_timeout                        | Total                     | 82631
flow.mgr.flows_evicted                        | Total                     | 83053
flow.mgr.flows_evicted_needs_work             | Total                     | 49147
flow_bypassed.closed                          | Total                     | 0
flow_bypassed.pkts                            | Total                     | 0
flow_bypassed.bytes                           | Total                     | 0
memcap_pressure                               | Total                     | 5
memcap_pressure_max                           | Total                     | 8
flow.recycler.recycled                        | Total                     | 33906
flow.recycler.queue_avg                       | Total                     | 3
flow.recycler.queue_max                       | Total                     | 70
tcp.memuse                                    | Total                     | 3637248
tcp.reassembly_memuse                         | Total                     | 688128
http.memuse                                   | Total                     | 0
http.memcap                                   | Total                     | 0
ftp.memuse                                    | Total                     | 0
ftp.memcap                                    | Total                     | 0
app_layer.expectations                        | Total                     | 0
file_store.open_files                         | Total                     | 0
flow.memuse                                   | Total                     | 7823264

Nothing jumps out at me from the log file that would cause Suricata to just get stuck at 50% packet loss. Looking at ifconfig, it only reports 1156 being dropped.

enp1s0f3: flags=2499<UP,BROADCAST,RUNNING,NOARP,PROMISC,SLAVE>  mtu 9000
        RX packets 45896265  bytes 36170592986 (33.6 GiB)
        RX errors 0  dropped 1156  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I'm using an Intel I350 network card. Am I missing something here? I've tried adjusting the ring-size, max-pending-packets, and workers on Suricata but the same exact problem happens. Looking at the used system resources as well nothing jumps out at me as being wrong. CPU Usage caps out at around 50%, System Memory Usage stays at around 55%

Does anyone have any idea on what might be going on here or any other troubleshooting steps I could do?

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by technox123

Mar 1, 2024

If anyone else comes across this issue, it turns out the problem was my network card. I swapped to an Intel x710-da2 and all my issues I had with packet loss have disappeared.

View full answer

technox123 · 2024-02-16T13:33:25Z

technox123
Feb 16, 2024
Author

Update:

So, I have done some more investigation into this issue I seem to be having and I noticed that the "Elastic Ingest TIme Spent" jumps to around 25-30s (I assume seconds) for the "rename_time" variable on the manager in InfluxDB. Is this a normal and safe value to have?

The "IO-Wait" time on the sensor also jumps to between 1%-8%.

Could this be causing my packet loss in Suricata?

My other question would be why is Suricata packet loss capping out at 50% in InfluxDB? If I try to get raw value it just get's stuck at 500M. Is this a hard limit on InfluxDB or with Telegraf?

2 replies

cm-ops Feb 20, 2024
Maintainer

You can check atop and see if the disk is having trouble keeping up.

technox123 Feb 21, 2024
Author

Thanks for the reply. I've since managed to source a new machine that is 8 cores, has a 1tb nvme and 64gb of ram (same NIC as before though). The IO-Wait has completely dropped down now. I've also updated to version 2.4.50, however, I seem to still be having the same issue of Suricata dropping more and more packets until I restart the container.

Any other suggestions for troubleshooting steps I could do?

technox123 · 2024-03-01T09:30:26Z

technox123
Mar 1, 2024
Author

If anyone else comes across this issue, it turns out the problem was my network card. I swapped to an Intel x710-da2 and all my issues I had with packet loss have disappeared.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

High Suricata Packet Loss #12329

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

High Suricata Packet Loss #12329

Uh oh!

technox123 Feb 8, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments · 2 replies

Uh oh!

technox123 Feb 16, 2024 Author

Uh oh!

cm-ops Feb 20, 2024 Maintainer

Uh oh!

technox123 Feb 21, 2024 Author

Uh oh!

technox123 Mar 1, 2024 Author

technox123
Feb 8, 2024

Replies: 2 comments 2 replies

technox123
Feb 16, 2024
Author

cm-ops Feb 20, 2024
Maintainer

technox123 Feb 21, 2024
Author

technox123
Mar 1, 2024
Author