
<div dir="ltr"><span style="font-size:12.8px">RxPcapeth71</span><br><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Looks like you're running in pcap runmode? Have you tried using AFPacket or something other than pcap?</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">./d</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 14, 2015 at 11:43 AM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>

<br>

</span>Never tried and probably won't work that great because of I/O issues.<br>

But I really can't say either way.<br>

<br>

Another thing to try is using bpf filters, or filters on your tap, to<br>

only monitor certain flows.  See this article for example:<br>

<br>

> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic</a><br>

<br>

You can invert this example and try just monitoring a single network or<br>

host via bpf filters and then expand that until you figure out what your<br>

capacity is.<br>

<span class=""><br>

On 10/14/2015 11:34 AM, Brian Hennigar wrote:<br>

> Hey Cooper,<br>

> I turned off the rules and still seeing the same amount of drops.<br>

> What is your experience with CUDA?  Instead of upgrading the CPUs, would<br>

> a GPU be the easier/cheaper option to get the required performance?  I<br>

> know I'll need to find one that is supported by ESXi for the passthrough.<br>

<br>

<br>

</span><span class="">- --<br>

Cooper Nelson<br>

Network Security Analyst<br>

UCSD ACT Security Team<br>

<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v2.0.17 (MingW32)<br>

<br>

</span>iQEcBAEBAgAGBQJWHqJZAAoJEKIFRYQsa8FWvjEH/iF4ZFzpe7eXoAd03E5z8p4M<br>

Q+0x2Mor+zi5BNLetemPB38ci9NzZ6bg4VHI5RQNcIOIun7sDnLMEUHOzHjL3NU3<br>

R42d0l6G+nXBL/BbNTinXfSUabp06ZN8phzU/laUJSDHXRjkSlXYjbXWxK62dit5<br>

b/f8c0wYQ5BKuujDY6dISvSnik95z76d0SMmKSgLBAEKd34NNdVEdMM2qCjL/G5x<br>

NfLQ7H0Uc39uEOTD5/1AT9Dpoaq3GZWkEmrqfSZp6A9I5WmkpjGE4EMHyXj7r5mp<br>

kms69Iw6ua2dHWzt5KFdIDS0XK2wbiTjgLFOP9KJ5NuyKm4Jrcav/DanszljSYM=<br>

=HIVS<br>

<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>

_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>

</div></div></blockquote></div><br></div>