<div>So I'm running in autofp mode and I increased the max-pending-packets from 50 to 500, then 5000, then 50000. I saw a dramatic increase from:</div><div>50 to 500 (17000 packets/sec @ 450sec to 57000 pps@140s)</div>
<div>not quite as dramatic from:</div><div>500 to 5000 ( to 85000pps@90s)</div><div>and about the same from:</div><div>5000 to 50000 (to 135000pps@60s)</div><div><br></div><div>My question now is about the tradeoff mentioned in the config file. Mentions negatively impacting caching. How does it impact caching? Will I see this when running pcaps or in live mode? </div>
<div><br></div><div>Thanks,</div><div>Gene</div><div><br><div class="gmail_quote">On Thu, Aug 4, 2011 at 1:07 PM, saldanha <span dir="ltr"><<a href="mailto:poonaatsoc@gmail.com">poonaatsoc@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
On 08/03/2011 08:50 AM, Gene Albin wrote:
</div><blockquote type="cite"><div><div></div><div class="h5">So I just installed Suricata on one of our research
computers with lots of cores available. I'm looking to see what
kind of performance boost I get as I bump up the CPU's. After my
first run I was surprised to see that I didn't get much of a boost
when going from 8 to 32 CPUs. I was running a 6GB pcap file with
a about 17k rules loaded. The first run on 8 cores took 190sec.
The second run on 32 cores took 170 sec. Looks like something
other than CPU is the bottle neck. <br>
<br>
My first guess is Disk IO. Any recommendations on how I could
check/verify that guess?<br>
<br>
Gene<br>
<br>
-- <br>
Gene Albin<br>
<a href="mailto:gene.albin@gmail.com" target="_blank">gene.albin@gmail.com</a><br>
<br>
<br>
<fieldset></fieldset>
<br>
</div></div><div class="im"><pre>_______________________________________________
Oisf-users mailing list
<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
</pre>
</div></blockquote>
<tt><br>
* forgot to reply to the list previously<br>
<br>
Hey Gene.<br>
<br>
Can you test by increasing the max-pending-packets in the
suricata.yaml file to a higher value. You can try one run with a
value of 500 and then try higher values(2000+ suggested. More the
better, as long as you don't hit swap).</tt><br>
<br>
<tt>Once you have set a higher max-pending-packets you can try
running suricata in autofp runmode. autofp mode runs suricata in
flow-pinned mode</tt>. <tt>To do this add this option to your
suricata command line "--runmode=autofp. "<br>
<br>
sudo suricata -c ./suricata.yaml -r your_pcap.pcap
--runmode=autofp<br>
<br>
With max-pending-packets set to a higher value and with
--runmode=autofp, you can test how suricata scales from 4 to 32
cores.<br>
<br>
<br>
</tt>
</div>
<br>_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Gene Albin<br><a href="mailto:gene.albin@gmail.com" target="_blank">gene.albin@gmail.com</a><br><br>
</div>