<div dir="ltr">Hello.<div><br></div><div>I'm trying to tune Suricata to handle up to 10Gbit/sec of traffic (that's a peak, jumps like crazy from 2.5 - 4.5 - 6 and up). So far my results were quite bad, so I'm seeking help - must be missing something obvious here judging by the numbers of articles where everyone seems to use Suricata on 10Gbit traffic.</div>
<div><br></div><div>Server:</div><div><br></div><div>2 x Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz (16 physical cores)</div><div>64GB RAM</div><div><br clear="all"><div>NIC - Myricom 10Gb 10G-PCIE-8B-S with the Sniffer software loaded and activated</div>
<div><br></div><div>Software:</div><div><br></div><div>This is Suricata version 2.0rc2 RELEASE<br></div><div><br></div><div>Command line:</div><div><br></div><div>SNF_NUM_RINGS=16 SNF_FLAGS=0x1 SNF_DESCRING_SIZE=1073741824 SNF_DATARING_SIZE=1073741824 SNF_DEBUG_MASK=0x3 suricata -c /etc/nsm/nsm11-eth4/suricata.yaml -i eth4 --runmode=workers<br>
</div><div><br></div><div>(16 threads, 1GB for each buffer)</div><div><br></div><div>The Myricom debug output seems fine.</div><div><br></div><div>Config file - pretty standard, most important things:</div><div><br></div>
<div>max-pending-packets: 5000<br></div><div>runmode: workers<br></div><div><br></div><div><div>detect-engine:</div><div> - profile: medium</div></div><div><br></div><div>Did not touch parameters here.</div><div><br></div>
<div> set-cpu-affinity: no<br></div><div><br></div><div>Also default settings here.</div><div><br></div><div> detect-thread-ratio: 1.5<br></div><div><br></div><div>(should not it be 1.0?)</div><div><br></div><div><div>defrag:</div>
<div> memcap: 512mb</div><div> trackers: 65535 # number of defragmented flows to follow</div><div> max-frags: 65535 # number of fragments to keep (higher than trackers)</div><div> prealloc: yes</div><div> timeout: 60</div>
</div><div><br></div><div><div>flow:</div><div> memcap: 32mb</div><div> hash-size: 65536</div><div> prealloc: 10000</div><div> emergency-recovery: 30</div></div><div><br></div><div><div>stream:</div><div> memcap: 16gb</div>
<div> max-sessions: 20000000</div><div> prealloc-sessions: 10000000</div><div> checksum-validation: yes # reject wrong csums</div><div> inline: no # no inline mode</div><div> reassembly:</div>
<div> memcap: 14gb</div><div> depth: 6mb # reassemble 1mb into a stream</div><div> toserver-chunk-size: 2560</div><div> toclient-chunk-size: 2560</div><div><br></div><div>pcap:</div><div> - interface: eth4</div>
<div> threads: 16</div><div> buffer-size: 512kb</div><div> checksum-checks: no</div></div><div><br></div><div>The myricom tools show a high packet loss</div><div><br></div><div><div> SNF recv pkts: 634485790<br>
</div><div> SNF drop ring full: 137774061</div><div> Interrupts: 12053363</div></div><div><div> Net bad PHY/CRC32 drop: 32092</div><div>
Net overflow drop: 219656</div></div><div><br></div><div>Also note that it reports quite a few interrupts, which there should be almost none.</div><div><br></div><div>What is the direction I should go here? I know that tuning a high capacity Suricata isn't exactly a single afternoon task, but I need to advise what to do now, how to proceed, etc.</div>
<div><br></div><div>Looking for clues.</div><div><br></div>-- <br>Michał Purzyński
</div></div>