<div dir="ltr"><div style="font-size:12.8px">Just realized I only replied to Yasha directly. Resending this to the list.<br><br>I'm running something similar on Ubuntu 16.04, and while this is not on CentOS, i'll share my findings. Since you're cat-ing /proc/interrupts, it sounds like what you're asking is how to set the IRQ for the NIC at a SYSTEM level. If you then pair the worker's threads via suricata's set-cpu-affinity setting, you should see (or at least feel better?) about that performance boost.<br><br>Firstly, I've found that irqbalance was giving me headaches and resetting my values....so:</div><div style="font-size:12.8px"><br></div><blockquote style="font-size:12.8px;margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace">killall irqbalance<br></font><font face="monospace, monospace">systemctl disable irqbalance</font></blockquote></blockquote><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Secondly, I needed to know what interrupts to set. I'm running an 8-core CPU (4 pysical cores, hyperthreaded) so i should have 8 irq's to deal with (This varies, but I believe it to be the smaller number between Rx-Tx queues provided by the NIC and the number of cores you have - it looks like you've got 4). Also, since you're asking about IRQs, I'm assuming you can get the name of the NIC in question. Mine is enp1s0f0, looks like yours is eth0.</div><div style="font-size:12.8px"><br></div><blockquote style="font-size:12.8px;margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace"># grep enp1s0f0 /proc/interrupts</font></blockquote></blockquote><blockquote style="font-size:12.8px;margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace"> CPU0 CPU1 CPU2 CPU3 CPU4 CPU5 CPU6 CPU7<br></font><font face="monospace, monospace"> 33: 300 0 0 0 0 0 0 0 IR-PCI-MSI 524288-edge enp1s0f0-TxRx-0<br></font><font face="monospace, monospace"> 34: 0 300 0 0 0 0 0 0 IR-PCI-MSI 524289-edge enp1s0f0-TxRx-1<br></font><font face="monospace, monospace"> 35: 0 0 300 0 0 0 0 0 IR-PCI-MSI 524290-edge enp1s0f0-TxRx-2<br></font><font face="monospace, monospace"> 36: 0 0 0 300 0 0 0 0 IR-PCI-MSI 524291-edge enp1s0f0-TxRx-3<br></font><font face="monospace, monospace"> 37: 0 0 0 0 300 0 0 0 IR-PCI-MSI 524292-edge enp1s0f0-TxRx-4<br></font><font face="monospace, monospace"> 38: 0 0 0 0 0 300 0 0 IR-PCI-MSI 524293-edge <span style="white-space:pre-wrap"> </span>enp1s0f0-TxRx-5<br></font><font face="monospace, monospace"> 39: 0 0 0 0 0 0 300 0 IR-PCI-MSI 524294-edge <span style="white-space:pre-wrap"> </span>enp1s0f0-TxRx-6<br></font><font face="monospace, monospace"> 40: 0 0 0 0 0 0 0 300 IR-PCI-MSI 524295-edge <span style="white-space:pre-wrap"> </span>enp1s0f0-TxRx-7<br></font><font face="monospace, monospace"> 41: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524296-edge <span style="white-space:pre-wrap"> </span>enp1s0f0</font></blockquote></blockquote><div style="font-size:12.8px"><div><br></div><div><b style="font-style:italic">NOTE: </b>Take notice of the 'diagonal'. I'm doing this on a box that has already had the settings applied. After a reboot, yours should also have zeros except for the pretty "diagonal" that shows it's working correctly (although the numbers may not be all equal, it should be distributed about evenly).</div><div><br></div><div>The above shows interrupts 33 through 40 are for enp1s0f0's Tx and Rx queues, so I'm going to go ahead and set those via the bitmask as denoted here:<a href="https://github.com/torvalds/linux/blob/master/Documentation/IRQ-affinity.txt" target="_blank">https://github.com/torvalds/linux/blob/master/Documentation/IRQ-affinity.txt</a><br></div></div><div style="font-size:12.8px"><br></div><blockquote style="font-size:12.8px;margin:0px 0px 0px 40px;border:none;padding:0px"><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace">echo 01 > /proc/irq/33/smp_affinity</font></blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace">echo 02 > /proc/irq/34/smp_affinity</font></blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace">echo 04 > /proc/irq/35/smp_affinity</font></blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace">echo 08 > /proc/irq/36/smp_affinity</font></blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace">echo 10 > /proc/irq/37/smp_affinity</font></blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace">echo 20 > /proc/irq/38/smp_affinity</font></blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace">echo 40 > /proc/irq/39/smp_affinity</font></blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace">echo 80 > /proc/irq/40/smp_affinity</font></blockquote></div></blockquote><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">And...that should do it! </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Cheers,</div><div style="font-size:12.8px">~Shane</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 31, 2016 at 10:47 AM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I don't see any difference and it works fine as-is.<br>
<br>
I may switch to the script when I start using multiple 10G interfaces,<br>
just I have precise control over what cores are used.<br>
<br>
-Coop<br>
<span class="im HOEnZb"><br>
On 5/31/2016 12:05 AM, Peter Manev wrote:<br>
> On Mon, May 30, 2016 at 6:44 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> wrote:<br>
>> > Try reloading your NIC kernel module and restarting IRQ balance.<br>
>> ><br>
> So - you use irqbalance ? (I always disable it)<br>
> Have you seen any benefit contra using just the affinity script ?<br>
><br>
>> > I know I've seen it get 'stuck' on occasion, so I have a script to do<br>
>> > the above prior to launching suricata.<br>
>> ><br>
>> > -Coop<br>
<br>
<br>
</span><div class="HOEnZb"><div class="h5">--<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ITS Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
<br>
</div></div><br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br></blockquote></div><br></div>