[Oisf-devel] Suricata performance in ips-copy mode

Eric Leblond eric at regit.org
Tue Jun 11 08:08:32 UTC 2013 

Hi,

Le mardi 11 juin 2013 à 05:23 +0000, Arun Dheena a écrit :
> Hello.
>  
> We are trying to measure the performance for suricata in ips-copy mode on Intel (Sandy Bridge 8 core system E5-2670 0 @ 2.60GHz).
> I have configured suricata with af-packet copy mode as mentioned in the blog here..
>  
> https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
>  
> Attached is the yaml file. 
> We are using Ubuntu Linux 3.8.0, with Mellanox adater (irq balance enabled) and suricata version 1.4.2
>  
> Would like to know from the experts :
>  
> [1] What is the expected throughput range for 10K HTTP sessions, with zero rules and with all the traffic matches the HOME_NET ?
> None of the traffic are threat traffic.
> We are getting around 3Gbps. 

I do not have any number for this type of setup. How is the CPU usage
when running the tests ?

> [2] Just a note, we are seeing kernel capture drops with the traffic / configuration as mentioned in [1] for all the threads.

Is the traffic correctly load-balanced between threads ?

> [3] Any other parameter / suggestion that could significantly change the performance for intel
>  in ips-copy mode.

affinity on detect threads (meaning in workers mode treatment threads)
could be set to exclusive and CPUs set to the CPUs on which network card
irq are sent.

Current suricata capabilities for this type of setup is not optimal as
the pearing between receive and send is not done on a per CPU basis. So
there may be some improvement here.

BR,
>  
> Thanks Much for the help
> Arun
> _______________________________________________ Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/ List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel Redmine: https://redmine.openinfosecfoundation.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130611/908c548b/attachment.sig>

More information about the Oisf-devel mailing list