[Oisf-devel] Cannot saturate bandwidth even with zero rules
Victor Julien
victor at inliniac.net
Tue Nov 9 09:21:25 UTC 2010
Jen-Cheng(Tommy) Huang wrote:
> Hi,
>
> I just tested suricata inline mode without pf_ring feature.
> My NIC is intel 1Gbps NIC.
> I used netperf TCP_MAERTS as my benchmark.
> When I removed all rules, I supposed suricata should run up to 941 Mbps
> which was what I observed in snort.
> However, I could only see around 700 Mbps. And with the default rule set
> which I downloaded from emergingthreats.net
> <http://emergingthreats.net/>, the throughput became 4xx Mbps. The
> strange thing was all CPUs were not saturated. (intel core i7).Thus, I
> supposed the cpus were not the bottleneck. But why it couldn't saturate
> the bandwidth?
> Any idea?
Tommy, you could try to increase the max-pending-packets setting in
suricata.yaml. It defaults to 50. The really high speed setups I've seen
usually require a setting more in the range of 2000 to 4000. It will
cost quite a bit of extra memory though.
Let me know if that changes anything.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list