Bug #7179
openCapture Kernel Drops happen when data transferring inside the intranet
Description
Mode : IDS with af-packet
Suricata : 7.0.6 and below with hyperscan
OS : Debian 12.x
Capture Kernel Drops only happens when data transferring between machines inside the intranet.
Updated by Victor Julien about 1 month ago
There is no detail in this report. Why do you believe there is a bug?
Updated by Samiux A about 1 month ago
It is because it only happens when the large data (for example, 10Mb) exchange between machines in the intranet. It does not happen when the large data is exchange between machine and remote server (internet), for example, download large file.
Updated by Victor Julien about 1 month ago
How much data? What protocols? How many flows? Please include such detail in your report.
Updated by Samiux A about 1 month ago
How to get such data? Get from the stats.log?
Updated by Samiux A about 1 month ago
I have a NextCloud machine in the network. When I paste a file (size 7.6MB) to the NextCloud directory via Linux file manager, there is no kernel drop observed. However, when I paste a file (size 7.9MB) to the NextCloud directory via Linux file manager, there is a 3 to 4 kernel drop observed. If I paste a file large than 10MB or above, the large number of kernel drop can be observed according the file size.
When the file size is below 7.6MB, there is no kernel drop observed.
Meanwhile, I do not use DAV or HTTP protocol (and not HTTPS) to paste the file to NextCloud, I think it is TCP protocol.
The network is connected with 1000Mbps network interface cards.
Updated by Samiux A about 1 month ago
Please close this thread as the problem is solved by changing the settings in suricata.yaml.