The reason for increasing RX overruns on the network adapter

I noticed once on one of the servers that the RX overruns value is growing slightly.

I executed several commands (where p2p1 and p2p2 are the names of network interfaces):

ifconfig p2p1
ifconfig p2p2

Only the value of RX overruns increased by 10 packets every second, with traffic at about 2Gb/s (100,000 packets per second).
The server was equipped with the network adapter “HP NC552SFP 10Gb 2-Port Ethernet Server Adapter” with a network controller from Emulex.

Having looked the size of the maximum and current buffer:

ethtool -g p2p1
ethtool -g p2p2

Found that the buffers are set to maximum, TX buffer is 4096, and the maximum possible RX buffer was only 512.
See also my article – Changing TX and RX network interface buffers in Linux

Having looked at the correct distribution of network card interrupts over the processor cores:

grep p2p1 /proc/interrupts

Found that the network adapter has 4 IRQ interrupts maximum, and irqbalance accordingly allocated them to 4 cores, and the processor cores are 24.

The problem was solved by replacing the network adapter with a more expensive one – “665249-B21 HP 10Gb 2-port 560SFP + Adapter” with an Intel 82599 network controller.
After that, an error was not observed, RX and TX buffers were 4096, and IRQ was distributed to all 24 cores.
After a couple of days, the error counters remained at zero:

p2p1      RX packets:62535001155 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36343078751 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:77395016742081 (77.3 TB)  TX bytes:10991051263063 (10.9 TB)

p2p2      RX packets:35672087256 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58598868464 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10996254475480 (10.9 TB)  TX bytes:73378418623349 (73.3 TB)

Probably the previous network adapter was some kind of truncated version, since the price was two times lower, and in general for serious purposes it is better to use network adapters with a controller from Intel.

See also my article – Configuring the Network in Linux

How to make a bootable USB flash drive with CAINE

To make a bootable USB flash drive with CAINE, perform several actions:

1) Download the image CAINE from the official site www.caine-live.net

2) Download Universal USB Installer http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

3) We connect the USB flash drive to the computer and run the Universal USB Installer. In it, we agree with the license agreement by clicking “I Agree“, in the second window where “Step 1:” choose “CAINE Linux“, where “Step 2” click “Browse” and point to the downloaded image of CAINE (for example, caine9.0.iso). In “Step 3:” select the letter of the flash drive, tick the “Format” (this will re-partition the file system table and erase all the data on the USB flash drive).

4) Click “Create” and wait for the process to complete.

IPTables rules for ntopng

First of all, let’s look at the current IPTables rules:

iptables -nvL

To open the ntopng port, add the rule:

sudo iptables -A INPUT -m tcp -p tcp --dport 3000 -j ACCEPT

To open the ntopng port for a specific network or IP only:

sudo iptables -A INPUT -m tcp -p tcp --dport 3000 -s 10.0.0.0/24 -j ACCEPT

See also my articles:
Configuring IPTables
Install and configure ntopng

IPTables rules for nprobe

First of all, let’s look at the current IPTables rules:

iptables -nvL

In order for nprobe to accept NetFlow data, open the port for it:

sudo iptables -A INPUT -p udp --dport 2055 -j ACCEPT

In order for nprobe to accept NetFlow data only from a particular network or IP:

sudo iptables -A INPUT -s 10.0.0.0/24 -p udp --dport 2055 -j ACCEPT

See also my articles:
Configuring IPTables
Install and configure nprobe

Install and configure nprobe

Suppose we installed ntopng as I described in this article – Install and configure ntopng
That is, they selected the necessary package at http://packages.ntop.org/apt-stable/ and downloaded it:

wget wget http://apt-stable.ntop.org/16.04/all/apt-ntop-stable.deb
sudo dpkg -i apt-ntop-stable.deb

Install nprobe if it is not installed:

sudo apt-get clean all
sudo apt-get update
sudo apt-get install nprobe

To receive NetFlow data and transfer it to ntopng, create a file (in the nano editor, press CTRL+X to exit, y/x to save or discard changes):

sudo nano /etc/nprobe/nprobe-anyname.conf

Add to it:

--zmq="tcp://*:5556"
-3 2055
--flow-version 9
-n=none
-i=none

2055 is the port on which you want to receive NetFlow data, and port 5556 is used to transmit it to ntopng.
See my articles on configuring NetFlow on switches:
Configuring NetFlow on Cisco
Configuring sFlow on D-Link Switches
Setting up and using Traffic Flow in Mikrotik

Now it remains to open the ntopng configuration in a text editor:

sudo nano /etc/ntopng/ntopng.conf

And add a line at the end (thereby adding the nprobe interface to collect statistics):

--interface="tcp://127.0.0.1:5556"

It remains to restart ntopng to apply the changes:

sudo service ntopng restart

Check whether everything works:

sudo netstat -tulpen | grep 2055
sudo netstat -tulpen | grep 5556
sudo /etc/init.d/nprobe status

I noticed that nprobe does not always shut down after the command:

sudo /etc/init.d/nprobe stop

Therefore, if necessary, you can stop it like this:

sudo killall nprobe
sudo kill -9 PID

In the free version of nprobe, I had a message:

NOTE: This is a DEMO version limited to 25000 flows export.

The full version can be purchased at the official site of shop.ntop.org.

See also:
IPTables rules for nprobe

Configuring sFlow on D-Link Switches

sFlow – Traffic analysis protocol, similar to NetFlow.

Enable/disable sFlow on the switch:

enable/disable sflow

Viewing parameters:

show sflow
show sflow flow_sampler
show sflow counter_poller
show sflow analyzer_server

Adding/modifying the sFlow analyzer server:

create/config sflow analyzer_server 1-4 owner NAME timeout 1-2000000(sec)/infinite collectoraddress ADDRESS collectorport udp_PORT maxdatagramsize 300-1400

Example of removing the sFlow analyzer server:

delete sflow analyzer_server 1-4

Creating, modifying, deleting the sFlow polling counters:

create/config sflow counter_poller ports NUMBER/all analyzer_server_id 1-4 interval disable/20-120(sec)
delete sflow counter_poller ports NUMBER/all

Create, modify, delete sFlow sample ports:

create/config sflow flow_sampler ports NUMBER/all analyzer_server_id (1-4) rate value 0-65535 tx_rate value 0-65535 maxheadersize value 18-256
delete sflow flow_sampler ports NUMBER/all

I will give an example of setting:

enable sflow
create sflow analyzer_server 1 owner Linux collectoraddress 192.168.1.5 collectorport 6343
create sflow counter_poller ports 1 analyzer_server_id 1 interval 20
create sflow flow_sampler ports 1:1 analyzer_server_id 1 rate 1000 maxheadersize 128