[Oisf-users] Performance on multiple CPUs
saldanha
poonaatsoc at gmail.com
Thu Aug 4 20:07:12 UTC 2011
On 08/03/2011 08:50 AM, Gene Albin wrote:
> So I just installed Suricata on one of our research computers with
> lots of cores available. I'm looking to see what kind of performance
> boost I get as I bump up the CPU's. After my first run I was surprised
> to see that I didn't get much of a boost when going from 8 to 32
> CPUs. I was running a 6GB pcap file with a about 17k rules loaded.
> The first run on 8 cores took 190sec. The second run on 32 cores took
> 170 sec. Looks like something other than CPU is the bottle neck.
>
> My first guess is Disk IO. Any recommendations on how I could
> check/verify that guess?
>
> Gene
>
> --
> Gene Albin
> gene.albin at gmail.com <mailto:gene.albin at gmail.com>
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
* forgot to reply to the list previously
Hey Gene.
Can you test by increasing the max-pending-packets in the suricata.yaml
file to a higher value. You can try one run with a value of 500 and
then try higher values(2000+ suggested. More the better, as long as you
don't hit swap).
Once you have set a higher max-pending-packets you can try running
suricata in autofp runmode. autofp mode runs suricata in flow-pinned
mode. To do this add this option to your suricata command line
"--runmode=autofp. "
sudo suricata -c ./suricata.yaml -r your_pcap.pcap --runmode=autofp
With max-pending-packets set to a higher value and with
--runmode=autofp, you can test how suricata scales from 4 to 32 cores.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110805/13f9ef05/attachment-0002.html>
More information about the Oisf-users
mailing list