<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p> What is your traffic like? Do you have lots of 'elephant' (big
data) flows?</p>
<p>Specifically long running flows of 100+ mbit/sec?<br>
</p>
If so and if you have enough memory, increase the size of your ring
buffer. I set mine to 500000 and packet drops are very low as a
result (< .1 %). Also, if you have any PerfSonar appliances,
drop them on the tap or interface via a bpf filter. <br>
<br>
I've done lots of experimenting and the the flow-bypass feature
doesn't work for non-TCP flows and can be overwhelmed by very high
bandwidth TCP flows, so having large buffers for busy networks is
still required. <br>
<br>
I've done some experiments and discovered that you can reduce packet
drops by ~50% by doubling the number of sensors/cores or ring-size.
However, once you get under 1% drops this rapidly becomes a case of
diminishing returns. <br>
<br>
-Coop<br>
<br>
<div class="moz-cite-prefix">On 7/12/2018 7:33 AM, fatema bannatwala
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACX0rUSkehcbMwHiqA-6sRCRW1snQfxfLWb6WrAyN2w3MqTpJQ@mail.gmail.com">Hi
Sean,
<div><br>
</div>
<div>Looks like it helped some. Modified the cpu-set settings as
you mentioned, and now loss is around 4-5%
[capture.kernel_packets: 685173701, capture.kernel_drops:
8692212 ]</div>
<div><br>
</div>
<div>I will see if I can recompile Suricata with Hyper-Scan and
see if the kernel_drops reduce to a lower number.</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Fatema.</div>
<div><br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jul 12, 2018 at 9:12 AM,
Cloherty, Sean E <span dir="ltr"><<a
href="mailto:scloherty@mitre.org" target="_blank"
moz-do-not-send="true">scloherty@mitre.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_2154441028046591105WordSection1">
<p class="MsoNormal">So looking at the docs – for
runmode workers these are the two affinity settings
which you need to concern yourself with – and the
worker-cpu set is the critical one.
</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal" style="background:rgb(238,255,204)"><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN">management</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN">-</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN">cpu</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN">-</span><span
style="font-family:Consolas;color:rgb(0,112,32)"
lang="EN">set</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN">
</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN">-</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN"> used
</span><b><span
style="font-family:Consolas;color:rgb(0,112,32)"
lang="EN">for</span></b><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN"> management (example
</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN">-</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN"> flow</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN">.</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN">managers, flow</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN">.</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN">recyclers)</span></p>
<p class="MsoNormal"><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN">worker</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN">-</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN">cpu</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN">-</span><span
style="font-family:Consolas;color:rgb(0,112,32)"
lang="EN">set</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN">
</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN">-</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN"> used
</span><b><span
style="font-family:Consolas;color:rgb(0,112,32)"
lang="EN">for</span></b><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN"> receive,streamtcp,decode,<wbr>detect,output(logging),respond</span><span
style="font-family:Consolas;color:rgb(102,102,102)"
lang="EN"><wbr>/</span><span
style="font-family:Consolas;color:rgb(64,64,64)"
lang="EN">reject</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">What you want to do is to use that
list in node 0 as the ones to use for workers and then
pick any two for the management CPU from node one –</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">So </p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
<a class="moz-txt-link-abbreviated" href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042</pre>
</body>
</html>