<div dir="ltr"><div> SNF recv pkts: 328287934</div><div> SNF drop ring full: 0</div><div><br></div><div>OK. So. The data ring size is for all wokers, i.e. if I allocate 10GB than I need just 10GB of physical memory. What made me think otherwise are tools like top, htop, free -m. They actually show num_workers x data_ring_size = crazy amount of memory I don't have. But because all workers map the same physical memory it does not matter, because all I need is just a virtual memory to handle the mapping and that's it.</div>
<div><br></div><div>Sending around 3.5Gbit/sec now (in peak, goes down to 2Gbit/sec) and myricom says that suricata takes all the packets. Will debug the Suricata performance later tomorrow, it's 2AM :-)</div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, Apr 1, 2014 at 1:23 AM, Michał Purzyński <span dir="ltr"><<a href="mailto:michalpurzynski1@gmail.com" target="_blank">michalpurzynski1@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>As for the decoder rules - I don't remember disabling them (where can I read more?).</div><div><br></div><div>Suricata says.</div><div><br></div>31/3/2014 -- 18:29:38 - <Info> - 2441 signatures processed. 133 are IP-only rules, 611 are inspecting packet payload, 1554 inspect application layer, 0 are decoder event only<br>
</div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Tue, Apr 1, 2014 at 1:22 AM, Michał Purzyński <span dir="ltr"><<a href="mailto:michalpurzynski1@gmail.com" target="_blank">michalpurzynski1@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Argh, I've sent replies directly instead of the list, my apologies, Gmail web interface isn't my native env.<div>
<br></div><div>Anyway.</div><div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px">There are around 4 cores busy most of the time and the rest floating. There is nothing sitting at 100% all the time.</span></div>
<div><br></div><div>I use the ETOpen rule set, testing ETPro is my next step.</div><div><div><br></div><div><div style="font-family:arial,sans-serif;font-size:13px">Enabled are (only)</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>ET-emerging-worm</div><div>ET-emerging-snmp</div><div>ET-emerging-attack_response</div><div>ET-emerging-botcc.portgrouped</div><div>ET-emerging-botcc</div>
<div>ET-emerging-ciarmy</div></div><div style="font-family:arial,sans-serif;font-size:13px">ET-emerging-current_events<br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">
and also ET-emerging-chat without IRC</div></div><div><br></div></div><div>How much memory do you have in your sensors?<span style="font-family:arial,sans-serif;font-size:13px"> </span><span style="font-family:arial,sans-serif;font-size:13px">SNF_DATARING_SIZE = 32GB times 16 is 512GB.</span></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">Also, how do you start Suricata - I use the eth4 interface, is there any difference with using the snf0?<br></font><div><div class="gmail_extra">
<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 31, 2014 at 4:52 PM, Erich Lerch <span dir="ltr"><<a href="mailto:erich.lerch@gmail.com" target="_blank">erich.lerch@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Michał,<br>
<br>
We have a similar setup, also with the Myricom 10gb interface.<br>
<br><div><br></div></blockquote></div></div></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>Michał Purzyński
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Michał Purzyński
</div>