I just wanted to add (since you are going to compare pfring and afpacket), that during test runs with the team a few weeks ago<br>with <br>1.3.1 (corresponding git back then)<br>afpacket<br>8cpu/16threads<br>5K ruleset<br>
16G RAM<br>on a 9.5Gb ISP traffic <br><br>we were able to achieve 75%cpu load and 0 drops<br>IMHO - is pretty good<br><br>if you desire any help, do not hesitate...<br><br><div class="gmail_quote">On Fri, Aug 24, 2012 at 12:03 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div>Eric's post<br>
<a href="https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/" target="_blank">https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/</a> also has<br>
some example config on irq affinity and other performance config options.<br>
<div class="im"><br>
On 08/23/2012 05:23 PM, Martin Holste wrote:<br>
> You should set the cluster-id for pfring as well as the<br>
> cluster-type: cluster_flow in suricata.yaml. Also, you should set<br>
> threads: 8 (no more than 8 or you get diminishing returns). If you<br>
> set the interface, then you can start with --pfring instead of<br>
> --pfring-int= .<br>
><br>
> On Thu, Aug 23, 2012 at 6:53 AM, Peter Bates<br>
> <<a href="mailto:peter.bates@ucl.ac.uk">peter.bates@ucl.ac.uk</a>> wrote:<br>
><br>
</div><div class="im">> Hello all<br>
><br>
> First of all, congratulations on Suricata 1.3.1!<br>
><br>
> I've been reading the 'Threading' section of<br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml</a><br>
><br>
> and would still appreciate a few pointers.<br>
><br>
> I'm intending to use PF_RING for packet capture and am used to<br>
> spawning multiple instances of Snort which are specifically bound<br>
> to CPU cores - and also running 'set_irq_affinity.sh' to tie ixgbe<br>
> IRQs to specific cores.<br>
><br>
> I have 16 cores/32 threads - will the default suricata.yaml work<br>
> accordingly if I select --pfring-int=ethX ?<br>
><br>
> I'm tempted to compare AF_PACKET + PACKET_FANOUT against PF_RING<br>
> but I'm not keen on running too many 'experimental' (to quote<br>
> suricata.yaml) features.<br>
><br>
>><br>
</div><div class="im">>> _______________________________________________ Oisf-users<br>
>> mailing list <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
>><br>
_______________________________________________<br>
> Oisf-users mailing list <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
><br>
</div>- --<br>
- ---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
- ---------------------------------------------<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
<div class="im">Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
</div>iEYEARECAAYFAlA3UX0ACgkQiSMBBAuniMdxOwCfUvtvqnpETA1h4cttHSTVvuzN<br>
nyUAn1yZTBN58s0Fqtf5L/AaTT4YPaoL<br>
=ALiW<br>
<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>