[Oisf-devel] 77b708=WIN?
Chris Wakelin
c.d.wakelin at reading.ac.uk
Tue Oct 4 18:09:24 UTC 2011
On 04/10/11 18:51, Martin Holste wrote:
> PF_RING does a simple hash on srcip/dstip, so if suri does any more
> than that, it'll probably balance better.
But the PF_RING balancing is done in the kernel, I think? As I said
before, I like having "whole" suri instances tied to a CPU.
Do you use cluster_flow or cluster_round_robin? What do you have as
set_cpu_affinity and detect_thread_ratio?
Still not got to the bottom of killing suricata leading to core dumps,
both with yesterday's git version and today's (and with runmode=autofp
and runmode=single).
Of course, some of the rules have changed a bit (my custom anti-phishing
ones built from the APER project phishing_links list), but no more than
usual! Time to try disabling them I suppose ...
Best Wishes,
Chris
>
> On Tue, Oct 4, 2011 at 12:47 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 10/04/2011 07:24 PM, Martin Holste wrote:
>>> I recommend switching to autofp from single for PF_RING.
>>
>> This is interesting. In the "single" mode we rely on PF_RING to load
>> balance the flows, right?
>>
>> In "autofp" mode, Suricata uses it's own loadbalancing mechanism. Does
>> it appear that ours is balancing more evenly? Would be surprising
>> considering how simple the hash is.
>>
>> Or are there other factors that I'm overlooking?
>>
>> Cheers,
>> Victor
>> --
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list