[Oisf-users] max-pending-packets maxing out at 65,000

Martin Holste mcholste at gmail.com
Wed Dec 14 17:08:24 UTC 2011


Hm, that's only about 3 cores per 1 Gb, so my hunch is it shouldn't be
able to keep up, unless you're running a small ruleset.  What nic's
are you using?  I would think that would definitely be a factor.

On Wed, Dec 14, 2011 at 10:55 AM, Josh White <josh at securemind.org> wrote:
> Your exactly right, 40Gbps over 4 bonded 10Gbps interfaces "full-duplex"
>
> - Josh
>
>
> On Wed, Dec 14, 2011 at 11:44 AM, Martin Holste <mcholste at gmail.com> wrote:
>>
>> OMG, I guess I should put that on my Amazon wishlist...
>>
>> So how much traffic can you test against it?  I wonder if it could
>> handle 40 Gbit over bonded interfaces.
>>
>> On Wed, Dec 14, 2011 at 9:54 AM, Peter Manev <petermanev at gmail.com> wrote:
>> > http://www-03.ibm.com/systems/power/hardware/795/specs.html
>> >
>> > looks cheap :)
>> >
>> >
>> > On Wed, Dec 14, 2011 at 4:48 PM, Josh White <josh at securemind.org> wrote:
>> >>
>> >> IBM Power 795
>> >> Power7 CPU(s) (4.25GHz with so called "Turbocore")
>> >>
>> >> Memory is a bit lacking compared to an Intel or a cheaper AMD Opteron
>> >>
>> >> "L2 256KB"
>> >> "L3 8MB"
>> >>
>> >> Still I'm anxious to see how it performs.
>> >>
>> >> Josh
>> >>
>> >>
>> >>
>> >> On Wed, Dec 14, 2011 at 10:15 AM, Will Metcalf
>> >> <william.metcalf at gmail.com>
>> >> wrote:
>> >>>
>> >>> Josh will have to answer for sure but I did see this roaming around
>> >>> outside of his office building...
>> >>>
>> >>> http://yfrog.com/h3puwrp
>> >>>
>> >>> Regards,
>> >>>
>> >>> Will
>> >>> On Wed, Dec 14, 2011 at 8:33 AM, Martin Holste <mcholste at gmail.com>
>> >>> wrote:
>> >>> > Holy crap, 128 cores?  What is the architecture?
>> >>> >
>> >>> > On Wed, Dec 14, 2011 at 1:24 AM, Victor Julien <victor at inliniac.net>
>> >>> > wrote:
>> >>> >> On 12/10/2011 04:48 PM, Josh White wrote:
>> >>> >>> Victor,
>> >>> >>>
>> >>> >>> No reason, just curious. Planning on running a test on a 128 Core
>> >>> >>> /
>> >>> >>> 256GB
>> >>> >>> and try pushing things to the maximum limits.
>> >>> >>
>> >>> >> Thats a lot of cores :) What do the specs look like?
>> >>> >>
>> >>> >> Let me know if you need guidance/ideas to configure optimally for
>> >>> >> this.
>> >>> >>
>> >>> >> Cheers,
>> >>> >> Victor
>> >>> >>
>> >>> >>>
>> >>> >>> Thanks for the quick response!
>> >>> >>>
>> >>> >>> Josh
>> >>> >>>
>> >>> >>> On Sat, Dec 10, 2011 at 3:19 AM, Victor Julien
>> >>> >>> <victor at inliniac.net>
>> >>> >>> wrote:
>> >>> >>>
>> >>> >>>> On 12/10/2011 07:35 AM, Josh White wrote:
>> >>> >>>>> I appear to be hitting a ceiling of 65,000 packets when setting
>> >>> >>>>> max-pending-packets. If I set it to anything higher, even
>> >>> >>>>> "66,000"
>> >>> >>>> Suricata
>> >>> >>>>> fails to start.
>> >>> >>>>>
>> >>> >>>>> ---
>> >>> >>>>> suricata -c /etc/suricata/suricata.yaml -i eth0
>> >>> >>>>> [3037] 10/12/2011 -- 01:29:11 - (suricata.c:649) <Info> (main)
>> >>> >>>>> --
>> >>> >>>>> This is
>> >>> >>>>> Suricata version 1.1 (rev )
>> >>> >>>>> [3037] 10/12/2011 -- 01:29:11 - (util-cpu.c:171) <Info>
>> >>> >>>>> (UtilCpuPrintSummary) -- CPUs/cores online: 24
>> >>> >>>>> [3037] 10/12/2011 -- 01:29:11 - (util-ioctl.c:85) <Info>
>> >>> >>>>> (GetIfaceMTU) --
>> >>> >>>>> Failure when trying to get MTU via ioctl: 19
>> >>> >>>>> [3037] 10/12/2011 -- 01:29:11 - (detect-pcre.c:128) <Info>
>> >>> >>>>> (DetectPcreRegister) -- Using PCRE match-limit setting of: 3500
>> >>> >>>>> [3037] 10/12/2011 -- 01:29:11 - (detect-pcre.c:138) <Info>
>> >>> >>>>> (DetectPcreRegister) -- Using PCRE match-limit-recursion setting
>> >>> >>>>> of: 1500
>> >>> >>>>> ---
>> >>> >>>>>
>> >>> >>>>> Can anyone tell me why? Is this a hard set limit?
>> >>> >>>>
>> >>> >>>> Yeah it's a hard limit. Our packet pool is a lockless ringbuffer
>> >>> >>>> that
>> >>> >>>> can contain USHRT_MAX, so 65535 packets.
>> >>> >>>>
>> >>> >>>> Any reason to need more?
>> >>> >>>>
>> >>> >>>> --
>> >>> >>>> ---------------------------------------------
>> >>> >>>> Victor Julien
>> >>> >>>> http://www.inliniac.net/
>> >>> >>>> PGP: http://www.inliniac.net/victorjulien.asc
>> >>> >>>> ---------------------------------------------
>> >>> >>>>
>> >>> >>>> _______________________________________________
>> >>> >>>> Oisf-users mailing list
>> >>> >>>> Oisf-users at openinfosecfoundation.org
>> >>> >>>>
>> >>> >>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>> >>>>
>> >>> >>>>
>> >>> >>>
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> ---------------------------------------------
>> >>> >> Victor Julien
>> >>> >> http://www.inliniac.net/
>> >>> >> PGP: http://www.inliniac.net/victorjulien.asc
>> >>> >> ---------------------------------------------
>> >>> >>
>> >>> >> _______________________________________________
>> >>> >> Oisf-users mailing list
>> >>> >> Oisf-users at openinfosecfoundation.org
>> >>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>> > _______________________________________________
>> >>> > Oisf-users mailing list
>> >>> > Oisf-users at openinfosecfoundation.org
>> >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>> _______________________________________________
>> >>> Oisf-users mailing list
>> >>> Oisf-users at openinfosecfoundation.org
>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>>
>> >>
>> >>
>> >> _______________________________________________
>> >> Oisf-users mailing list
>> >> Oisf-users at openinfosecfoundation.org
>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>
>> >
>> >
>> >
>> > --
>> > Peter Manev
>> >
>> > _______________________________________________
>> > Oisf-users mailing list
>> > Oisf-users at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>>
>



More information about the Oisf-users mailing list