[Discussion] Suricata performance over pcap

• Previous message (by thread): [Discussion] Suricata performance over pcap
• Next message (by thread): [Discussion] Suricata performance over pcap
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/14/2011 03:23 PM, Sangwoo wrote:
> Hello,
> I'm Sangwoo Moon from Korea.
> 
> I'm trying to measure the performance of Suricata.
> I have 10G network environment, highly optimized 10Gbps TCP/UDP packet 
> generator.
> My IDS machine has 12-core CPU.
> 
> I measured the performance of Suricata over pcap with no rule files, and 
> I received up to 2Gbps of pure receiving performance.
> However, I also ran Snort over pcap in same machine, it shows almost 
> 10Gbps performance.
> 
> This is what I got in console.
> [22494] 14/1/2011 -- 22:23:35 - (source-pcap.c:437) <Info> 
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:17667565 
> Recv:9450855 Drop:8216710 (46.5%).
> 
> I think that it says there is about 50% drop rate in pcap layer. I 
> wonder Suricata affects pcap layer whereas Snort doesn't.
> Can anybody give me some advice?

Two things you can try from the top of my head:

1. Increase the pcap buffer by passing the --pcap-buffer-size option on
the commandline.

2. Increase your max-pending-packets in your suricata.yaml

Personally I haven't tried Suricata in pcap mode yet on such a fast
network. Npulse did reach that speed (with significant ruleset) on
slower hardware, but the packet acquisition was done on a Napatech card.

Please let me know if incrementing the 2 above values buys you anything.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Previous message (by thread): [Discussion] Suricata performance over pcap
• Next message (by thread): [Discussion] Suricata performance over pcap
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]