<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
@font-face
{font-family:"Lucida Console";
panose-1:2 11 6 9 4 5 4 2 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I know some folks in the community have successfully integrated and tuned Suricata for use with Myricom’s Sniffer10g hardware. We are in the process of testing Suricata 2.1-Beta with Sniffer10g hardware and have come across at least a few questions regarding the integration of the two. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>While I have seen some of the older OISF threads where users have cited a configuration that is working well for them, I would personally rather understand the interdependency between SNF parameters and suricata.yaml parameters, and how they affect the runtime behavior of Suricata. This understanding will allow us to intelligently tune rather than blindly guess. <span style='color:black'>We posed these questions with Myricom support and the response was to contact the OISF mailing list. Considering that others may have had similar questions, we're hoping a discussion thread can help to shed some additional guidance relating to tuning Suricata with Myricom capture cards.</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'>In particular, I was wondering if anyone had any insight into Suricata’s memory usage with regards to DATARING_SIZE, as you can see here from the output of ‘top’, the Suricata memory increases *<b>rapidly</b>* with respect to the DATARING_SIZE. <o:p></o:p></p><p class=MsoNormal style='text-autospace:none'>**The yaml file was constant throughout all 3 tests – only the SNF ring parameters changed**<o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console";color:black'>(DATARING_SIZE = 256MB (default), DESCRING_SIZE=64MB (default) – 8 rings/threads)</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Lucida Console";color:black'>61300 user 20 0 15.4g 13g 5.0g S 221.7 5.2 36:43.21 Suricata-Main <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Lucida Console";color:black'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console";color:black'>(DATARING_SIZE = 4GB, DESCRING_SIZE=1GB – 8 rings/threads)</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Lucida Console";color:black'>28208 user 20 0 90.4g 88g 80g S 281.3 35.1 8:07.91 Suricata-Main<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Lucida Console";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Lucida Console";color:black'>(DATARING_SIZE = 8GB, DESCRING_SIZE=2GB – 8 rings/threads)</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Lucida Console";color:black'>55652 user 20 0 170g 168g 160g S 226.8 66.9 30:39.41 Suricata-Main</span><span style='font-size:10.0pt;font-family:"Segoe UI","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In addition, since Suricata is leveraging SNF through libpcap, I am wondering if it is known how the pcap.buffer-size parameter that is defined in the suricata.yaml relates to the DATARING_SIZE/DESCRING_SIZE parameters?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>pcap:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> - interface: eth4<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> # On Linux, pcap will try to use mmaped capture and will use buffer-size<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> # as total of memory used by the ring. So set this to something bigger<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> # than 1% of your bandwidth.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> buffer-size: 16777216<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I appreciate any guidance the community can provide on these items, in addition to any other tuning considerations when using Suricata with Sniffer10g hardware.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Zach<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b><span style='font-size:12.0pt;font-family:"Franklin Gothic Book","sans-serif"'>________________________<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Franklin Gothic Book","sans-serif"'>Zach Rasmor<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Franklin Gothic Book","sans-serif"'>Senior Software Engineer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Franklin Gothic Book","sans-serif"'>Lockheed Martin CIRT<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Franklin Gothic Book","sans-serif"'>700 N Frederick Ave | Gaithersburg, MD 20879<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Franklin Gothic Book","sans-serif"'>Email: <a href="mailto:zachary.r.rasmor@lmco.com"><span style='color:blue'>zachary.r.rasmor@lmco.com</span></a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Franklin Gothic Book","sans-serif"'>Office: 301.240.6116<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>