[Discussion] Suricata performance over pcap

• Previous message (by thread): [Discussion] Suricata performance over pcap
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I was curious about some of the Napatech results. I watched the video
regarding this and they state that they are able to get packets to
Suricata at 10Gb/s speed. We are able to do that on the Bivio system as
well but the challenge has been having Suricata actually process those
packets at that speed. Do you know if these results meant that Suricata
itself actually processed packets at 10Gb/s, the video explanation was
vague in saying if that was acheived? Even with parallel processing it
would seem that some of the expensive memcpy() functions and DPI
required  would make this challenging at the user space level. Happen to
know anything more on how this was achieved in Suricata, especially with
a loaded ruleset?

Thanks,

// Joel 


Joel Ebrahimi
Solutions Architect
Bivio Networks Inc.
http://www.bivio.net


-----Original Message-----
From: discussion-bounces at openinfosecfoundation.org
[mailto:discussion-bounces at openinfosecfoundation.org] On Behalf Of
Victor Julien
Sent: Friday, January 14, 2011 6:46 AM
To: Sangwoo
Cc: discussion at openinfosecfoundation.org; fast-ids at list.ndsl.kaist.edu
Subject: Re: [Discussion] Suricata performance over pcap

On 01/14/2011 03:23 PM, Sangwoo wrote:
> Hello,
> I'm Sangwoo Moon from Korea.
> 
> I'm trying to measure the performance of Suricata.
> I have 10G network environment, highly optimized 10Gbps TCP/UDP packet

> generator.
> My IDS machine has 12-core CPU.
> 
> I measured the performance of Suricata over pcap with no rule files,
and 
> I received up to 2Gbps of pure receiving performance.
> However, I also ran Snort over pcap in same machine, it shows almost 
> 10Gbps performance.
> 
> This is what I got in console.
> [22494] 14/1/2011 -- 22:23:35 - (source-pcap.c:437) <Info> 
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:17667565 
> Recv:9450855 Drop:8216710 (46.5%).
> 
> I think that it says there is about 50% drop rate in pcap layer. I 
> wonder Suricata affects pcap layer whereas Snort doesn't.
> Can anybody give me some advice?

Two things you can try from the top of my head:

1. Increase the pcap buffer by passing the --pcap-buffer-size option on
the commandline.

2. Increase your max-pending-packets in your suricata.yaml

Personally I haven't tried Suricata in pcap mode yet on such a fast
network. Npulse did reach that speed (with significant ruleset) on
slower hardware, but the packet acquisition was done on a Napatech card.

Please let me know if incrementing the 2 above values buys you anything.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Discussion mailing list
Discussion at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

• Previous message (by thread): [Discussion] Suricata performance over pcap
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]