<div dir="ltr">No, it doesn't work, at least in the sense of only 1% packet loss being considered a success.  Something odd with the Intel cards is preventing more than 16 hardware queues from being used as the system will only show activity with 16 cores in workers mode, all other CPUs are 100% idle.  The RSS parameter to the ixgbe module needs to be set for each port although it claims to automatically use # of cores or # of ports, whichever is greater.  Also again, about FdirMode=3.. I don't think it applies here.<div>
<br></div><div>I've since removed the additional cards and just experiment with one.  autofp mode isn't working as I'd expect either.</div><div><br></div><div><div>Adjusting the MTU did reduce memory consumption.  I suppose that is meant to reflect the average pMTU of flows and not the link connected to the sensor.  The documentation could be written better to reflect this as that part seems to imply something different.  (yes, reading more about MTU and IDS from various sources makes it clear).  Regarding documentation the af-packet section regarding the zero-copy ring size conflicting with buffer_size should be updated; values that are commented out are assumed to be 'defaults' like in many other configuration scenarios;  I'm glad you pointed this out as it is definitely not apparent to me from just looking at the configuration.</div>
<div><br></div><div>I'm going to go away now to read code and experiment more.<br></div><div><br></div><div>--TC</div><div><br></div><div><br></div><div>autofp Example:</div><div><br></div><div><div><div>capture.kernel_packets    | RxAFPeth41                | 7117283101</div>
<div>capture.kernel_drops      | RxAFPeth41                | 4885784393</div><div>capture.kernel_packets    | RxAFPeth42                | 7290835993</div><div>capture.kernel_drops      | RxAFPeth42                | 5061427961</div>
<div>capture.kernel_packets    | RxAFPeth43                | 7213432976</div><div>capture.kernel_drops      | RxAFPeth43                | 4941736439</div><div>capture.kernel_packets    | RxAFPeth44                | 7273721753</div>
<div>capture.kernel_drops      | RxAFPeth44                | 5046375696</div><div>capture.kernel_packets    | RxAFPeth45                | 7702660203</div><div>capture.kernel_drops      | RxAFPeth45                | 5473406098</div>
<div>capture.kernel_packets    | RxAFPeth46                | 6526210366</div><div>capture.kernel_drops      | RxAFPeth46                | 4280571057</div><div>capture.kernel_packets    | RxAFPeth47                | 7473635100</div>
<div>capture.kernel_drops      | RxAFPeth47                | 5264888903</div><div>capture.kernel_packets    | RxAFPeth48                | 8001217687</div><div>capture.kernel_drops      | RxAFPeth48                | 5781338601</div>
<div>capture.kernel_packets    | RxAFPeth49                | 7935510106</div><div>capture.kernel_drops      | RxAFPeth49                | 5684606164</div><div>capture.kernel_packets    | RxAFPeth410               | 6672471328</div>
<div>capture.kernel_drops      | RxAFPeth410               | 4480440331</div><div>capture.kernel_packets    | RxAFPeth411               | 4012330752</div><div>capture.kernel_drops      | RxAFPeth411               | 2650530005</div>
<div>capture.kernel_packets    | RxAFPeth412               | 6938284654</div><div>capture.kernel_drops      | RxAFPeth412               | 4686886437</div><div>capture.kernel_packets    | RxAFPeth413               | 7368646714</div>
<div>capture.kernel_drops      | RxAFPeth413               | 5117305059</div><div>capture.kernel_packets    | RxAFPeth414               | 5284771030</div><div>capture.kernel_drops      | RxAFPeth414               | 3751148947</div>
<div>capture.kernel_packets    | RxAFPeth415               | 7373582300</div><div>capture.kernel_drops      | RxAFPeth415               | 5176332364</div><div>capture.kernel_packets    | RxAFPeth416               | 7114510564</div>
<div>capture.kernel_drops      | RxAFPeth416               | 4903112771</div><div>capture.kernel_packets    | RxAFPeth417               | 68112</div><div>capture.kernel_drops      | RxAFPeth417               | 0</div><div>
capture.kernel_packets    | RxAFPeth418               | 80839</div><div>capture.kernel_drops      | RxAFPeth418               | 0</div><div>capture.kernel_packets    | RxAFPeth419               | 77292</div><div>capture.kernel_drops      | RxAFPeth419               | 0</div>
<div>capture.kernel_packets    | RxAFPeth420               | 90287</div><div>capture.kernel_drops      | RxAFPeth420               | 0</div><div>capture.kernel_packets    | RxAFPeth421               | 78012</div><div>capture.kernel_drops      | RxAFPeth421               | 0</div>
<div>capture.kernel_packets    | RxAFPeth422               | 74278</div><div>capture.kernel_drops      | RxAFPeth422               | 0</div><div>capture.kernel_packets    | RxAFPeth423               | 79919</div><div>capture.kernel_drops      | RxAFPeth423               | 0</div>
<div>capture.kernel_packets    | RxAFPeth424               | 84155</div><div>capture.kernel_drops      | RxAFPeth424               | 0</div><div>capture.kernel_packets    | RxAFPeth425               | 84760</div><div>capture.kernel_drops      | RxAFPeth425               | 0</div>
<div>capture.kernel_packets    | RxAFPeth426               | 85328</div><div>capture.kernel_drops      | RxAFPeth426               | 0</div></div></div><div><div>capture.kernel_packets    | RxAFPeth427               | 81765</div>
<div>capture.kernel_drops      | RxAFPeth427               | 0</div><div>capture.kernel_packets    | RxAFPeth428               | 83583</div><div>capture.kernel_drops      | RxAFPeth428               | 0</div><div>capture.kernel_packets    | RxAFPeth429               | 91101</div>
<div>capture.kernel_drops      | RxAFPeth429               | 0</div><div>capture.kernel_packets    | RxAFPeth430               | 104013</div><div>capture.kernel_drops      | RxAFPeth430               | 0</div><div>capture.kernel_packets    | RxAFPeth431               | 92905</div>
<div>capture.kernel_drops      | RxAFPeth431               | 0</div><div>capture.kernel_packets    | RxAFPeth432               | 98068</div><div>capture.kernel_drops      | RxAFPeth432               | 0</div></div><div><br>
</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Aug 18, 2013 at 10:43 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div>No problem and please let us know if the 'worker' mode config works for<br>
you.  I'm planning on building a 40gig sensor and it would help if I<br>
knew how it performed with multiple NICs.<br>
<br>
- -Coop<br>
<div><div class="h5"><br>
On 8/16/2013 5:36 PM, Tritium Cat wrote:<br>
> Cooper,<br>
><br>
> Thanks again for the explanations and supporting information.<br>
><br>
> --TC<br>
><br>
<br>
<br>
</div></div><div class="im">- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iQEcBAEBAgAGBQJSEbCGAAoJEKIFRYQsa8FWC5oIAM4qY13/Yu0Q7idrbcB+073z<br>
eh/AnOVCOU1NJbqltdVRtLWh8JFhdyhglNAZI2HpHoCSiRRkzHw7YTnz7DPadETg<br>
mEpTOJvm9y9DKJzG6jp1eGRqBFwQ+yMWTtQwxyg4gl0tk95OxkGHo3Y7ok/ROa7+<br>
1aRTnBDpkQ+HNeEBmI1Jw5rdf0gQ3jPuyhNLhF/cPNnTJ1YC6SyQE6DQSoz8ZIfb<br>
N+REZxcDTVdCdoblr2tQOH4PEKIuLGv7pBQPVUVKBxxCZCUBMYUJHXZvgcX7akFP<br>
xfRxcXlhmxgVsQFvBC7nJVLiEbcpP09wur7HMz/ck5jFqg9v+8F9I4E749Db84o=<br>
=LTPl<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br></div>