<div dir="ltr"><span style="font-size:12.8px">RxPcapeth71</span><br><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Looks like you're running in pcap runmode? Have you tried using AFPacket or something other than pcap?</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">./d</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 14, 2015 at 11:43 AM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span>Never tried and probably won't work that great because of I/O issues.<br>
But I really can't say either way.<br>
<br>
Another thing to try is using bpf filters, or filters on your tap, to<br>
only monitor certain flows.  See this article for example:<br>
<br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic</a><br>
<br>
You can invert this example and try just monitoring a single network or<br>
host via bpf filters and then expand that until you figure out what your<br>
capacity is.<br>
<span class=""><br>
On 10/14/2015 11:34 AM, Brian Hennigar wrote:<br>
> Hey Cooper,<br>
> I turned off the rules and still seeing the same amount of drops.<br>
> What is your experience with CUDA?  Instead of upgrading the CPUs, would<br>
> a GPU be the easier/cheaper option to get the required performance?  I<br>
> know I'll need to find one that is supported by ESXi for the passthrough.<br>
<br>
<br>
</span><span class="">- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
<br>
</span>iQEcBAEBAgAGBQJWHqJZAAoJEKIFRYQsa8FWvjEH/iF4ZFzpe7eXoAd03E5z8p4M<br>
Q+0x2Mor+zi5BNLetemPB38ci9NzZ6bg4VHI5RQNcIOIun7sDnLMEUHOzHjL3NU3<br>
R42d0l6G+nXBL/BbNTinXfSUabp06ZN8phzU/laUJSDHXRjkSlXYjbXWxK62dit5<br>
b/f8c0wYQ5BKuujDY6dISvSnik95z76d0SMmKSgLBAEKd34NNdVEdMM2qCjL/G5x<br>
NfLQ7H0Uc39uEOTD5/1AT9Dpoaq3GZWkEmrqfSZp6A9I5WmkpjGE4EMHyXj7r5mp<br>
kms69Iw6ua2dHWzt5KFdIDS0XK2wbiTjgLFOP9KJ5NuyKm4Jrcav/DanszljSYM=<br>
=HIVS<br>
<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
</div></div></blockquote></div><br></div>