[Oisf-devel] suricata & two-way traffic
vpiserchia at gmail.com
vpiserchia at gmail.com
Tue Jul 15 10:39:45 UTC 2014
Hello Mahnaz,
have you tried changing the cluster_type to cluster_flow ?
I'm not sure this can help but maybe it worth to check
best regards
vito
On 07/15/2014 12:04 PM, Mahnaz Talebi wrote:
> Is there anyone who can help me to solve this problem?
>
>
> On Tue, Jul 8, 2014 at 5:17 PM, Mahnaz Talebi <mhnz.talebi at gmail.com <mailto:mhnz.talebi at gmail.com>> wrote:
>
> Hi all,
>
>
> I am trying to evalute suricata's behavior, when sending traffic for two interface that peer together in af-packet mode. I use tcpreplay for sending traffic to these interfaces with rate 950Mbps.
> I use RSS & smp_affinity for distribute flows between cpus and use workers runmode and cluster-cpu as cluster-type in af-packet mode.
> when I send traffic for one of peered interfaces(p115p3), drop rate is 0%, and top -H report is :
>
> Cpu0 : 0.0%us, 20.1%sy, 12.2%ni, 54.6%id, 0.0%wa, 1.3%hi, 11.8%si, 0.0%st
> Cpu1 : 11.9%us, 18.0%sy, 0.0%ni, 52.2%id, 0.0%wa, 2.9%hi, 15.1%si, 0.0%st
> Cpu2 : 6.2%us, 16.7%sy, 0.0%ni, 20.7%id, 0.0%wa, 3.3%hi, 53.3%si, 0.0%st
> Cpu3 : 12.7%us, 18.0%sy, 0.0%ni, 57.6%id, 0.0%wa, 2.5%hi, 9.2%si, 0.0%st
> Cpu4 : 13.0%us, 20.6%sy, 0.0%ni, 51.3%id, 0.0%wa, 3.2%hi, 11.9%si, 0.0%st
> Cpu5 : 11.8%us, 19.3%sy, 0.0%ni, 51.4%id, 0.0%wa, 2.5%hi, 15.0%si, 0.0%st
> Cpu6 : 10.0%us, 15.3%sy, 0.0%ni, 57.7%id, 0.0%wa, 2.1%hi, 14.9%si, 0.0%st
> Cpu7 : 15.3%us, 27.8%sy, 0.0%ni, 40.9%id, 0.0%wa, 2.5%hi, 13.5%si, 0.0%st
> Mem: 20775960k total, 1003940k used, 19772020k free, 97688k buffers
> Swap: 5177340k total, 0k used, 5177340k free, 540524k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 6783 root 18 -2 337m 61m 3376 R 43.2 0.3 0:09.74 AFPacketp115p38
> 6780 root 18 -2 337m 61m 3376 R 35.6 0.3 0:07.61 AFPacketp115p35
> 6779 root 18 -2 337m 61m 3376 R 32.2 0.3 0:06.96 AFPacketp115p34
> 6781 root 18 -2 337m 61m 3376 R 32.2 0.3 0:06.95 AFPacketp115p36
> 6777 root 20 0 337m 61m 3376 R 31.3 0.3 0:06.72 AFPacketp115p32
> 6776 root 22 2 337m 61m 3376 R 29.9 0.3 0:08.12 AFPacketp115p31
> 6782 root 18 -2 337m 61m 3376 R 26.6 0.3 0:05.67 AFPacketp115p37
> 6778 root 20 0 337m 61m 3376 R 24.3 0.3 0:05.21 AFPacketp115p33
> 6767 root 20 0 337m 61m 3376 S 0.7 0.3 0:00.07 Suricata-Main
> 6784 root 22 2 337m 61m 3376 S 0.7 0.3 0:00.12 FlowManagerThre
>
> but, when I send traffic to both interfaces, drop rate for each interface is almost 55% ! each interface has 8 threads.
> and top -H report is:
>
> Cpu0 : 1.0%us, 24.7%sy, 49.8%ni, 6.7%id, 0.0%wa, 2.0%hi, 15.7%si, 0.0%st
> Cpu1 : 50.7%us, 24.2%sy, 0.3%ni, 7.4%id, 0.0%wa, 2.0%hi, 15.4%si, 0.0%st
> Cpu2 : 43.0%us, 19.5%sy, 0.0%ni, 1.0%id, 0.0%wa, 1.7%hi, 34.9%si, 0.0%st
> Cpu3 : 59.4%us, 21.8%sy, 0.0%ni, 8.1%id, 0.0%wa, 1.7%hi, 9.1%si, 0.0%st
> Cpu4 : 56.3%us, 23.0%sy, 0.0%ni, 7.7%id, 0.0%wa, 1.7%hi, 11.3%si, 0.0%st
> Cpu5 : 53.7%us, 23.8%sy, 0.0%ni, 6.4%id, 0.0%wa, 1.7%hi, 14.4%si, 0.0%st
> Cpu6 : 52.3%us, 23.2%sy, 0.0%ni, 8.1%id, 0.0%wa, 2.0%hi, 14.4%si, 0.0%st
> Cpu7 : 54.5%us, 23.6%sy, 0.0%ni, 7.1%id, 0.0%wa, 2.0%hi, 12.8%si, 0.0%st
> Mem: 20775960k total, 1014884k used, 19761076k free, 97844k buffers
> Swap: 5177340k total, 0k used, 5177340k free, 541212k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 6780 root 18 -2 337m 70m 3376 R 39.5 0.3 1:47.93 AFPacketp115p35
> 6771 root 18 -2 337m 70m 3376 R 39.2 0.3 0:09.97 AFPacketp115p44
> 6772 root 18 -2 337m 70m 3376 R 38.9 0.3 0:10.02 AFPacketp115p45
> 6783 root 18 -2 337m 70m 3376 R 38.9 0.3 2:11.36 AFPacketp115p38
> 6779 root 18 -2 337m 70m 3376 R 38.6 0.3 1:40.22 AFPacketp115p34
> 6773 root 18 -2 337m 70m 3376 R 38.2 0.3 0:09.65 AFPacketp115p46
> 6775 root 18 -2 337m 70m 3376 R 38.2 0.3 0:10.48 AFPacketp115p48
> 6781 root 18 -2 337m 70m 3376 R 38.2 0.3 1:39.22 AFPacketp115p36
> 6774 root 18 -2 337m 70m 3376 R 37.6 0.3 0:09.20 AFPacketp115p47
> 6782 root 18 -2 337m 70m 3376 R 37.2 0.3 1:22.00 AFPacketp115p37
> 6768 root 22 2 337m 70m 3376 R 36.2 0.3 0:09.99 AFPacketp115p41
> 6776 root 22 2 337m 70m 3376 R 36.2 0.3 1:33.93 AFPacketp115p31
> 6769 root 20 0 337m 70m 3376 R 35.9 0.3 0:09.28 AFPacketp115p42
> 6777 root 20 0 337m 70m 3376 R 35.9 0.3 1:36.01 AFPacketp115p32
> 6770 root 20 0 337m 70m 3376 R 30.9 0.3 0:07.85 AFPacketp115p43
> 6778 root 20 0 337m 70m 3376 R 30.6 0.3 1:17.34 AFPacketp115p33
>
> what is problem?!
>
>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
More information about the Oisf-devel
mailing list