<div dir="ltr"><div><div><div><div><br>Yup, removing --enable-debug made a fair bit of a difference. I don't think I need to use it in anger any more now that suricata is ported and running.<br><br></div>What about the --enable-profiling and --enable-profiling-locks options? Do they have a significant hit on performance?<br>
<br></div>I discovered via their profiling functionality that removing the ioctl issue dropped my packet loss from 67% to 64%, and now removing --enable-debug dropped it further to between 14% to 33%, depending which thread you ask. It's almost usable on this platform!<br>
<br>I'll shuffle more threads onto the busy interface and see how much I can improve on that. Nope, going from 4 to 6 threads raised the drops from the previous 14%-33% up to 30%-65%. Going back to one thread only on the busy interface, after the initial boot up drops, the drops are almost zero and the thread is ticking away at up to 100K packets/second. That leads me to believe the locking isn't working so well on this system, I'm not sure they are actually using atomics.<br>
<br></div>Another issue which hits the O.S. scheduler is top(1M) is pretty bad on resources, it increases my dropped packets by 20% - 50%. Using prstat(1M) is much nicer on the system. It's the way it's written.<br>
<br></div>ta,<br>Mark.<br><div><div><div><br></div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Dec 18, 2013 at 12:57 AM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 12/17/2013 02:42 PM, Mark Ashley wrote:<br>
> suricata`PrintList+0x4e4<br>
> suricata`StreamTcpReassembleAppLayer+0x301<br>
> suricata`StreamTcpReassembleHandleSegmentUpdateACK+0x17b<br>
> suricata`StreamTcpReassembleHandleSegment+0x1a0<br>
> suricata`HandleEstablishedPacketToServer+0x1888<br>
> suricata`StreamTcpPacketStateEstablished+0x20c6<br>
> suricata`StreamTcpPacket+0x82a<br>
> suricata`StreamTcp+0x461<br>
> suricata`TmThreadsSlotVarRun+0xada<br>
> suricata`TmThreadsSlotProcessPkt+0x61<br>
> suricata`PcapCallbackLoop+0xd0b<br>
> libpcap.so.1.5.2`pcap_read_bpf+0x13d<br>
> 2843<br>
<br>
PrintList above suggests you've compiled with --enable-debug. This will<br>
be slow no matter what you do. The PrintList above for example iterates<br>
the TCP segment list multiple times per packet I think, or maybe just on<br>
segment insert. Anyhow: slow.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</font></span></blockquote></div><br></div>