Elephant Flows detection and mitigation


I have found a lot of articles and advises on how to optimize Suricata for high performance and minimize packet drop, but is there any process how to find or detect IP and port which causes packet dropping and increasing statistics?
I’m toying with the idea of mitigating some periodic elephant flows through eBPF in not-so-known or sometimes changeable environments.

Thx in advance


Did you check the already existing eBPF and XDP support: 19.4. eBPF and XDP — Suricata 6.0.1 documentation ?

It is not perfect but allows already some nice interactions.

Hi Eric,

yes, already checked it :slight_smile:

but my situation:
I draw stats from eve in grafana and see there kernel_drops in same time every day and my question is, if is there some option how to detect which flows causing this drops without I dont’t have to go to every person ask if he fired up some services in last few weeks.

How did you configure the different stream depth settings? Ideally those catch such flows, in reality I’ve seen that it doesn’t work all the time :slight_smile: but worth a try.

I have configured stream depth at 5MB, sometimes it looks like it works, but I’m not sure if it’s bypassed encrypted traffic. Or maybe it works on some protocols :thinking:

Is there any way how to look into it in real-time?

What I do is running iftop on such systems when I see it live, always trying to match it to htop as well. Keep in mind, depending on the configuration/NIC the iftop output might be misleading.

I would like to see a tool in the future that helps with that even more and also better support within Suricata, but it’s not that trivial. Those dynamic elephant flows are a big challenge.