[Discussion] Suricata performance over pcap

• Previous message (by thread): [Discussion] Suricata performance over pcap
• Next message (by thread): [Discussion] Suricata performance over pcap
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
Do you test Suricata on ids mode like span/mirror only or ips/inline mode with iptables?
If it's ids, maybe test with PFRing?
Your trafic generator send basic tcp/udp trafic (padding zero?) or enhanced real application like Spirent/BreakingPoint Data Center profile?
It's very high packet rate with very small size packet or mix size? (just for information)
Can you send a top cpu information? (particular if one core is 100% and other are 25%...)
What exact Suricata version you have tested please? (last beta? last git?)
Maybe start with gccprofile (Thx Victor)?
Regards
Rmkml

http://lists.openinfosecfoundation.org/pipermail/oisf-devel/2010-May/000193.html


On Fri, 14 Jan 2011, Victor Julien wrote:

> On 01/14/2011 03:53 PM, Scott Damron wrote:
>> You might want to check your CPU utilization.  I know using TNAPI with
>> a 10 gig card and 16 cores I can reach 10Gbit on an Intel 10Gbit card.
>>  Using the set_irq_affinity script to load balance it across all
>> cores.  YMMV.
>
> You can set the pcap recv thread's cpu affinity as well from Suricata's
> suricata.yaml by enabling the thread.set_cpu_affinity option. This will
> force the pcap thread to run on CPU0. A problem here may be that we run
> a single pcap receive thread. Our current git master code allows you to
> read from multiple pcap devices, but that has it's own set of, ehhh
> "challenges" :)
>
> Cheers,
> Victor

• Previous message (by thread): [Discussion] Suricata performance over pcap
• Next message (by thread): [Discussion] Suricata performance over pcap
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]