<p dir="ltr">Hi guys,</p>
<p dir="ltr">in RHEL based Linux distributions (kernel 2.6.x) AF_PACKET does not have the packet fan out feature. Hence the necessary update to kernel 3.x.</p>
<p dir="ltr">If you are getting unbalanced workloads in the CPU's under worker mode, search the list for "IRQ", "performance","10gbps and beyond". You'll find threads dealing with such issues.</p>
<p dir="ltr">^^ this is what I can remember from the top of my head </p>
<p dir="ltr">Cheers,<br>
Duarte</p>
<div class="gmail_quote">On 10 Nov 2013 09:23, "Peter Manev" <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Sun, Nov 10, 2013 at 5:27 AM, Stephen Watson<br>
<<a href="mailto:steve@mansfieldweather.com">steve@mansfieldweather.com</a>> wrote:<br>
> I’ve setup Suricata as an IPS running in af_packet mode. I ran it for a<br>
> while on 2.6 Kernel then decided to move to 3.8 Kernel for multi thread<br>
> testing.<br>
><br>
><br>
<br>
So you are saying you can't do multi threading testing in 2.6? What is<br>
the reason? What kind of tests are you running?<br>
What are your expectations?<br>
<br>
><br>
> On the 2.6 Kernel the Suricata process CPU usage was showing 130% (dual core<br>
> CPU) at 20 Mbit throughput, yet on the 3.8 Kernel the Suricata thread is<br>
> still at 130% on 20 Mbit, the other worker threads have very low loading, it<br>
> seems the main suricate thread is what has the big hit on the resources.<br>
> So I can’t see any advantage on running the 3.8 Kernel over the 2.6 for a 20<br>
> Mbit internet connection at this point.<br>
><br>
<br>
There is much more to tuning Suricata than upgrading the kernel level<br>
and expecting performance improvement just because you have upgraded ,<br>
without doing tunning and conf changes. By the same logic you could<br>
downgrade to a lower level kernel version as well ...<br>
<br>
Is your question towards multi threading advantages of different<br>
kernel versions? Suricata performance tuning in IPS mode?<br>
(Linux kernel version changelog found here -<br>
<a href="http://kernelnewbies.org/LinuxVersions" target="_blank">http://kernelnewbies.org/LinuxVersions</a> )<br>
<br>
A bit more info could be useful so that we could help you better.<br>
<br>
<br>
><br>
><br>
> Regards,<br>
><br>
> Steve<br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
<br>
<br>
<br>
--<br>
Regards,<br>
Peter Manev<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div>