[Oisf-users] max-pending-packets maxing out at 65,000

Sat Dec 10 15:48:08 UTC 2011

Victor,

No reason, just curious. Planning on running a test on a 128 Core / 256GB
and try pushing things to the maximum limits.

Thanks for the quick response!

Josh

On Sat, Dec 10, 2011 at 3:19 AM, Victor Julien <victor at inliniac.net> wrote:

> On 12/10/2011 07:35 AM, Josh White wrote:
> > I appear to be hitting a ceiling of 65,000 packets when setting
> > max-pending-packets. If I set it to anything higher, even "66,000"
> Suricata
> > fails to start.
> >
> > ---
> > suricata -c /etc/suricata/suricata.yaml -i eth0
> > [3037] 10/12/2011 -- 01:29:11 - (suricata.c:649) <Info> (main) -- This is
> > Suricata version 1.1 (rev )
> > [3037] 10/12/2011 -- 01:29:11 - (util-cpu.c:171) <Info>
> > (UtilCpuPrintSummary) -- CPUs/cores online: 24
> > [3037] 10/12/2011 -- 01:29:11 - (util-ioctl.c:85) <Info> (GetIfaceMTU) --
> > Failure when trying to get MTU via ioctl: 19
> > [3037] 10/12/2011 -- 01:29:11 - (detect-pcre.c:128) <Info>
> > (DetectPcreRegister) -- Using PCRE match-limit setting of: 3500
> > [3037] 10/12/2011 -- 01:29:11 - (detect-pcre.c:138) <Info>
> > (DetectPcreRegister) -- Using PCRE match-limit-recursion setting of: 1500
> > ---
> >
> > Can anyone tell me why? Is this a hard set limit?
>
> Yeah it's a hard limit. Our packet pool is a lockless ringbuffer that
> can contain USHRT_MAX, so 65535 packets.
>
> Any reason to need more?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111210/df4addf3/attachment-0002.html>