https://lists.gt.net/ntop/misc/48984
After fighting with the fucking rules (copied from the master!
Shit, kept overwriting my files. That's ok, local rules are
rolled up into the downloaded rules file - NOT), I finally
checked the UFIRT rule with snort and suri. 100 hits to
one of the FSU servers, 1/sec. suri with pf-ring caught
all 100, af-packet caught 97. snort on ewansens2 only caught
75.
May be some changes on the way for ewansens2.
Also, I added a bpf rule ('not esp') to block that encapsulated
IPSEC crap. Doesn't seem to be working, though.
Not feeling too swell right now, may not be in tomorrow. If not,
good luck on all this crap. I'll let you know if I'm going to
be fucking with the rules from home if I don't come in.
Jim
On 6/18/19 6:11 PM, Jim Hranicky wrote:
> I've noticed some strange output from sar when running zbalance_ipc.
> It seems I only get stats every other second, on odd seconds in this
> case:
>
> % sar -n DEV 1 10 | grep ens5f0
> 05:58:09 PM IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s
> txcmp/s rxmcst/s
> 05:58:09 PM ens5f0 1001033.00 0.00 1440901.59 0.00 0.00
> 0.00 20.00
> 05:58:10 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00
> 05:58:11 PM ens5f0 1024305.00 0.00 1422458.64 0.00 0.00
> 0.00 24.00
> 05:58:12 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00
> 05:58:13 PM ens5f0 1028284.00 0.00 1567748.74 0.00 0.00
> 0.00 36.00
> 05:58:14 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00
> 05:58:15 PM ens5f0 1037512.00 0.00 1568361.43 0.00 0.00
> 0.00 20.00
> 05:58:16 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00
> 05:58:17 PM ens5f0 1009894.00 0.00 1482515.69 0.00 0.00
> 0.00 10.00
> 05:58:18 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00
> Average: ens5f0 510102.80 0.00 748198.61 0.00 0.00
> 0.00 11.00
>
> Checking for drops, I see them on the even seconds:
>
> % sar -n EDEV 1 10 | grep ens5f0
> 05:58:38 PM IFACE rxerr/s txerr/s coll/s rxdrop/s txdrop/s
> txcarr/s rxfram/s rxfifo/s txfifo/s
> 05:58:39 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00 0.00 0.00
> 05:58:40 PM ens5f0 0.00 0.00 0.00 629536.00 0.00
> 0.00 0.00 0.00 0.00
> 05:58:41 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00 0.00 0.00
> 05:58:42 PM ens5f0 0.00 0.00 0.00 517831.00 0.00
> 0.00 0.00 0.00 0.00
> 05:58:43 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00 0.00 0.00
> 05:58:44 PM ens5f0 0.00 0.00 0.00 558658.00 0.00
> 0.00 0.00 0.00 0.00
> 05:58:45 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00 0.00 0.00
> 05:58:46 PM ens5f0 0.00 0.00 0.00 595583.00 0.00
> 0.00 0.00 0.00 0.00
> 05:58:47 PM ens5f0 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00 0.00 0.00
> 05:58:48 PM ens5f0 0.00 0.00 0.00 588821.00 0.00
> 0.00 0.00 0.00 0.00
> Average: ens5f0 0.00 0.00 0.00 289042.90 0.00
> 0.00 0.00 0.00 0.00
>
> ethtool is reporting a lot of missed packets:
>
> % ethtool -S ens5f0 | egrep 'rx_dropped|rx_missed|rx_packets|errors'
> rx_packets: 1775168454257
> rx_errors: 0
> tx_errors: 0
> rx_dropped: 0
> rx_over_errors: 0
> rx_crc_errors: 0
> rx_frame_errors: 0
> rx_fifo_errors: 0
> rx_missed_errors: 1031957653637
> tx_aborted_errors: 0
> tx_carrier_errors: 0
> tx_fifo_errors: 0
> tx_heartbeat_errors: 0
> rx_length_errors: 0
> rx_long_length_errors: 0
> rx_short_length_errors: 0
> rx_csum_offload_errors: 13923182
> fcoe_last_errors: 0
>
> zbalance_ipc :
>
> /usr/local/pf/sbin/zbalance_ipc -i ens5f0 -m 4 -n 48 -c 99 -g 70 -S 71 -p
>
> 48 snorts are running along with zbalance_ipc .
>
> Can anyone account for this behavior? Is zbalance_ipc unable to keep up,
> or are there config changes I should make?
>
> Card info :
>
> 81:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+
> Network Connection (rev 01)
>
> Thanks,
> --
> Jim Hranicky
> Data Security Specialist
> UF Information Technology
>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
