<div dir="ltr">I think having 8 cores really is my issue. With no rules enabled, I'm still getting drops with af-packet although it is better. <div><br></div><div><div>capture.kernel_drops | AFPacketeth71 | 19611</div><div>capture.kernel_drops | AFPacketeth72 | 23942</div><div>capture.kernel_drops | AFPacketeth73 | 964</div><div>capture.kernel_drops | AFPacketeth74 | 14720</div><div>capture.kernel_drops | AFPacketeth75 | 0</div><div>capture.kernel_drops | AFPacketeth76 | 0</div><div>capture.kernel_drops | AFPacketeth77 | 0</div><div>capture.kernel_drops | AFPacketeth78 | 19216</div></div><div><br></div><div><br></div><div>Thanks again for all of the help! There's still much I need to learn about tuning Suricata.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 14, 2015 at 8:23 PM, Brian Hennigar <span dir="ltr"><<a href="mailto:bhennigar@gmail.com" target="_blank">bhennigar@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I've looked into pf_ring. vmxnet3 isn't supported by pf_ring and the E1000 interface choice by ESXi is only 1gb which wouldn't work for 10Gb. vmxnet3 supports 10gb. Passing the interface directly through to the VM might be an option but not ideal. <div><br></div><div>I'm just starting on configuring it to use workers and af-packet. </div><div><br></div><div>Thanks,</div><div>Brian</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 14, 2015 at 8:19 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span>I didn't notice that either. All my deployments are bare metal, so I<br>
don't know well that will work. If the NICs support recieve-side<br>
scaling everything should work well.<br>
<br>
- -Coop<br>
<span><br>
On 10/14/2015 2:38 PM, Chris Wakelin wrote:<br>
> Also it seems you're using virtual NICs ("vmxnet3")?<br>
><br>
> Depending on which interface type you use and whether it supports<br>
> AFPacket, you might need something like PF_RING ZC<br>
> (<a href="http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/" rel="noreferrer" target="_blank">http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/</a>).<br>
><br>
> Best Wishes,<br>
> Chris<br>
<br>
<br>
</span><span>- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
<br>
</span>iQEcBAEBAgAGBQJWHuLnAAoJEKIFRYQsa8FWrvsH+wRBuQfoKKRFamD2qLXzuVUX<br>
JR9IeY22XRfoCrMGjD0h7Yic0fkt6DPLng/z4rmn0brgCjkSxYukdnhvHUyZzPTi<br>
lkDdkEevXGcA1CDqw2+ZyQsqRao2GO6EfOJ7pvH1QIL4rG7Aa2Nl+PVL1La2hq8k<br>
8OEiTZr4/nGs7cUOGyFLooKgPh5lOeEjhRdkO0QueYK46IgWClRg/haIQEBT/YUK<br>
QbedoaAViBbQti2sWYbNi0MIZtWoELNuJxG+79aKEQkWWUbztbej29guX+mafojA<br>
el9JK1BuEnHz/VdIp+e1XCc39mur5qJMS47vwlVDD9IMFFfi2o69+ZdD5SiiiuQ=<br>
=2PmI<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>