
I just wanted to add (since you are going to compare pfring and afpacket), that during test runs with the team a few weeks ago<br>with <br>1.3.1 (corresponding git back then)<br>afpacket<br>8cpu/16threads<br>5K ruleset<br>

16G RAM<br>on a 9.5Gb ISP traffic <br><br>we were able to achieve 75%cpu load and 0 drops<br>IMHO - is pretty good<br><br>if you desire any help, do not hesitate...<br><br><div class="gmail_quote">On Fri, Aug 24, 2012 at 12:03 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>

<br>

</div>Eric's post<br>

<a href="https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/" target="_blank">https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/</a> also has<br>

some example config on irq affinity and other performance config options.<br>

<div class="im"><br>

On 08/23/2012 05:23 PM, Martin Holste wrote:<br>

> You should set the cluster-id for pfring as well as the<br>

> cluster-type: cluster_flow in suricata.yaml.  Also, you should set<br>

> threads: 8 (no more than 8 or you get diminishing returns).  If you<br>

> set the interface, then you can start with --pfring instead of<br>

> --pfring-int= .<br>

><br>

> On Thu, Aug 23, 2012 at 6:53 AM, Peter Bates<br>

> <<a href="mailto:peter.bates@ucl.ac.uk">peter.bates@ucl.ac.uk</a>> wrote:<br>

><br>

</div><div class="im">> Hello all<br>

><br>

> First of all, congratulations on Suricata 1.3.1!<br>

><br>

> I've been reading the 'Threading' section of<br>

> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml</a><br>

><br>

>  and would still appreciate a few pointers.<br>

><br>

> I'm intending to use PF_RING for packet capture and am used to<br>

> spawning multiple instances of Snort which are specifically bound<br>

> to CPU cores - and also running 'set_irq_affinity.sh' to tie ixgbe<br>

> IRQs to specific cores.<br>

><br>

> I have 16 cores/32 threads - will the default suricata.yaml work<br>

> accordingly if I select --pfring-int=ethX ?<br>

><br>

> I'm tempted to compare AF_PACKET + PACKET_FANOUT against PF_RING<br>

> but I'm not keen on running too many 'experimental' (to quote<br>

> suricata.yaml) features.<br>

><br>

>><br>

</div><div class="im">>> _______________________________________________ Oisf-users<br>

>> mailing list <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>

>> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

><br>

>><br>

_______________________________________________<br>

> Oisf-users mailing list <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>

> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

><br>

><br>

</div>- --<br>

- ---------------------------------------------<br>

Victor Julien<br>

<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>

PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>

- ---------------------------------------------<br>

<br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v1.4.11 (GNU/Linux)<br>

<div class="im">Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>

<br>

</div>iEYEARECAAYFAlA3UX0ACgkQiSMBBAuniMdxOwCfUvtvqnpETA1h4cttHSTVvuzN<br>

nyUAn1yZTBN58s0Fqtf5L/AaTT4YPaoL<br>

=ALiW<br>

<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>

_______________________________________________<br>

Oisf-users mailing list<br>

<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>

<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

</div></div></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>

<div>Peter Manev</div><br>