<div dir="ltr">Hey Cooper,<div>I turned off the rules and still seeing the same amount of drops. </div><div>What is your experience with CUDA? Instead of upgrading the CPUs, would a GPU be the easier/cheaper option to get the required performance? I know I'll need to find one that is supported by ESXi for the passthrough.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 14, 2015 at 2:43 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Have you tried running with no rules yet? If you are dropping packets<br>
with no rules then your sensor is over-subscribed and you need more cores.<br>
<br>
We are running a 10Gb tap with 16 (hyper-threaded) cores and the only<br>
way this is possible for us is via extensive packet filtering.<br>
<br>
If you want to monitor a highly-used 10Gbit interface you really need at<br>
least 32 cores. Many of the 10Gb cards don't support more than 16 cores<br>
(interrupts) per interface, so you may need to use a dual-interface and<br>
a load balancer to properly hash all the flows.<br>
<br>
- -Coop<br>
<span class=""><br>
On 10/14/2015 10:34 AM, Brian Hennigar wrote:<br>
> Hi,<br>
> I'm testing using Suricata with 10Gb fiber with out of band span ports<br>
> (not inline) and have noticed a high volume of packet loss. Are there<br>
> any best practices for using 10Gb when NOT inline?<br>
><br>
> I'm testing, I'm using esxi 5.5 and a ubuntu 14.04 VM and vmxnet3<br>
> network adapters. The vm has 64gb ram and 8 cores. All offloading<br>
> options are disabled on the interface.<br>
><br>
<br>
<br>
</span>- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
<br>
iQEcBAEBAgAGBQJWHpROAAoJEKIFRYQsa8FWhPUIAIc9c+I+Z00Q+al9NjGqEZZg<br>
v0h3VyXEV6ju/ePghrSpY+ICBxhaZCBtvsJehWmX4Fob2GR+ab6dLBng/wlbVgXW<br>
Ig43Oi/TDge5feVh9Jw4pWmBCATvECSS6liKCJGf2eAFADhLV8jbmEjFw58TNa8W<br>
lLoAapKC8W1uhYRaIiG6dfMa9aHZDhyvUsUAni4iVlwexWwqMR35o0pIe88wFRda<br>
RB4ILsGlQEv4KRCJ2pH3cKvsyYvzAI1YnKmuJJhgSjsA9j0Lr2iAFYZjVZWQABLr<br>
I8SMnNM/E3cJuG02lc3WKoc9RQcMc3adE25a4FAFF+s4vo4uFxkpXY6dtr3kfC8=<br>
=5IVd<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br></div>