Capure Loss Problem

[egidio-d]

Version

2.4.170

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

80

RAM

350 Gb

Storage for /

238 Gb

Storage for /nsm

9596 Gb

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi everyone,

We've noticed a significant Capture Loss issue on our Security Onion instance and are hoping you can help us figure out the cause.

The problem:
The Capture Loss value in the Grid section never drops below 10% and sometimes hits peaks of 40%. This is happening even though network traffic is very low (max 10 Mbps).

Our setup and what we've already tried:

The SPAN port is configured on a high-performance core switch.

The cabling has been checked and replaced multiple times.

Physical network card (NIC) offloading has been disabled.

The server hardware seems to be well-provisioned, with no obvious bottlenecks in terms of CPU, RAM, or disk.

This high loss rate is making our analysis difficult. Do you have any suggestions on what we should check or what configurations we could optimize to solve this issue?

Thanks in advance for your help!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Is this a physical machine or VM?

What model NIC are you using?

What is the output of the following (replacing NIC with your actual sniffing NIC)?

ethtool -l NIC

[egidio-d]

Is this a physical machine or VM?

It's a physical machine. Security Onion ISO is installed directly on bare metal.

What model NIC are you using?

Intel(R) Gigabit 4P I350-t Adapter

What is the output of the following (replacing NIC with your actual sniffing NIC)?

ethtool -l NIC

Channel parameters for ens2f3:Pre-set maximums:
RX: n/a
TX: n/a
Other: 1
Combined: 8
Current hardware settings:
RX: n/a
TX: n/a
Other: 1
Combined: 8

[dougburks]

Please try the following and see if it helps:

sudo ethtool -L ens2f3 combined 1

[egidio-d]

Thanks! After that change, the value dropped a lot. It's now fluctuating between 0.0% and a maximum of 2%. What kind of impact would an increase in traffic have? Is a NIC with specific characteristics needed?

[dougburks]

You specify above that your traffic is less than 1Gbps. Your I350 NIC should be fine for speeds up to Gigabit as long as the rest of your hardware can keep up.

Please note that the ethtool setting above only applies while the OS is running. At the next reboot, the setting will revert to default values. We already have an issue to automatically set this ethtool setting at every boot:
#14951

This fix will be included in the upcoming 2.4.180 release.