Ok, thanks. It sounds like you need to test on live traffic, probably via a traffic generator to get a real feel for improvement. I've found that to be the case when testing rule set sizes: Offline testing is not a very good indicator of live traffic performance.<br>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Dec 12, 2012 at 1:24 PM, Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Thu, Dec 13, 2012 at 12:13 AM, Martin Holste <<a href="mailto:mcholste@gmail.com" target="_blank">mcholste@gmail.com</a>> wrote:<br>
>>2400 processors? Wow. So, the practical question: When the K20 family<br>
>> comes out, will Suricata really be harnessing all of the stream processors?<br>
>> Specifically, will it actually be performing 2400+ content matches in<br>
>> parallel?<br>
><br>
<br>
</div>Currently testing a redesigned version of cuda on my box. Have tested<br>
on 2 pcaps, the first pcap offering a 2% perf increase and the second<br>
one offering around 10% perf increase. Not very great, but It's still<br>
a basic version which needs to be improved.<br>
<br>
I have tried out with a buffer timeout(the time period over which we'd<br>
buffer packets and send it over to the gpu) ranging from 2ms - 20ms.<br>
The max I'm able to buffer with 2ms is around 10k packets, and with<br>
20ms it's around 20k packets. The nos may not be very meaningful,<br>
since it's traffic dependent, but yes in this case I was utilizing all<br>
of my cuda cores, but maybe not as efficiently as I'd want to. Good<br>
performance can be obtained when I can run a huge no of threads, i.e.<br>
x no of threads per packet, where x > 1, as opposed to the 1 thread<br>
per packet I have now. Have tried running 8million threads on 10mb<br>
buffer and it performed 4x better than having just 1 thread per<br>
payload. Would probably explore that next.<br>
<br>
The bottleneck I'm seeing is keeping a high inflow of packets and with<br>
pap file mode I have just 1 receive thread. If I have a couple of<br>
receive threads, I can buffer a lot more packets for the same timeout<br>
values. The only way to use multiple receive threads is reading from<br>
multiple pcap files, but that would need us to have separate flow hash<br>
tables, engine time handler per pcap.<br>
<br>
I can run it on the network with pfring or afp multi-rx threads, but I<br>
won't have a proper benchmark.<br>
<div><div><br>
><br>
><br>
> On Wed, Dec 12, 2012 at 12:12 PM, Anoop Saldanha <<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>><br>
> wrote:<br>
>><br>
>> On Wed, Dec 12, 2012 at 5:34 AM, Matt <<a href="mailto:matt@somedamn.com" target="_blank">matt@somedamn.com</a>> wrote:<br>
>> > Does anyone have any recommendations for graphics cards I can put in a<br>
>> > server chassis that will perform well with Suricata? I'm looking at<br>
>> > this<br>
>> > one:<br>
>> ><br>
>> > <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16814500262" target="_blank">http://www.newegg.com/Product/Product.aspx?Item=N82E16814500262</a><br>
>> ><br>
>> > Any experience to share?<br>
>> ><br>
>> > - Matt<br>
>> > _______________________________________________<br>
>> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
>> > Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>
>> > <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>> > List:<br>
>> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> > OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
>><br>
>> don't bother getting this.<br>
>><br>
>> I'd suggest waiting for sometime. Hoping to see a gk110 based geforce<br>
>> card. Worth the wait if it comes out.<br>
>><br>
>> You can run the quadro(way better than the card you suggested above)<br>
>> which you have till then.<br>
>><br>
>> --<br>
>> Anoop Saldanha<br>
>> _______________________________________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
><br>
><br>
<br>
<br>
<br>
</div></div><span><font color="#888888">--<br>
Anoop Saldanha<br>
</font></span></blockquote></div><br></div>