[Discussion] Suricata performance over pcap

Scott Damron sdamron at gmail.com
Fri Jan 14 14:53:05 UTC 2011


You might want to check your CPU utilization.  I know using TNAPI with
a 10 gig card and 16 cores I can reach 10Gbit on an Intel 10Gbit card.
 Using the set_irq_affinity script to load balance it across all
cores.  YMMV.

Scott

On Fri, Jan 14, 2011 at 8:46 AM, Victor Julien <lists at inliniac.net> wrote:
> On 01/14/2011 03:23 PM, Sangwoo wrote:
>> Hello,
>> I'm Sangwoo Moon from Korea.
>>
>> I'm trying to measure the performance of Suricata.
>> I have 10G network environment, highly optimized 10Gbps TCP/UDP packet
>> generator.
>> My IDS machine has 12-core CPU.
>>
>> I measured the performance of Suricata over pcap with no rule files, and
>> I received up to 2Gbps of pure receiving performance.
>> However, I also ran Snort over pcap in same machine, it shows almost
>> 10Gbps performance.
>>
>> This is what I got in console.
>> [22494] 14/1/2011 -- 22:23:35 - (source-pcap.c:437) <Info>
>> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:17667565
>> Recv:9450855 Drop:8216710 (46.5%).
>>
>> I think that it says there is about 50% drop rate in pcap layer. I
>> wonder Suricata affects pcap layer whereas Snort doesn't.
>> Can anybody give me some advice?
>
> Two things you can try from the top of my head:
>
> 1. Increase the pcap buffer by passing the --pcap-buffer-size option on
> the commandline.
>
> 2. Increase your max-pending-packets in your suricata.yaml
>
> Personally I haven't tried Suricata in pcap mode yet on such a fast
> network. Npulse did reach that speed (with significant ruleset) on
> slower hardware, but the packet acquisition was done on a Napatech card.
>
> Please let me know if incrementing the 2 above values buys you anything.
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>



More information about the Discussion mailing list