[Oisf-users] Suricata on 8 cores, ~70K packets/sec

Chris Wakelin c.d.wakelin at reading.ac.uk
Tue Feb 15 15:19:07 EST 2011


On 15/02/11 20:01, Victor Julien wrote:
> 
> If this is the case pfring is your friend. It allows you to have
> multiple reader threads that get packets from the kernel. Pfring has
> several ways of dividing packets over the readers. I'd be interested to
> see what happens with a run mode where we'd have cores/2 pfring readers
> with each 2 or 3 processing threads.
> 
> Cheers,
> Victor
> 

Yes, I was wondering whether Eric's benchmarking gave rather different
results reading a pcap file, compared to using PF_RING on a live stream
as it splits up the data for you in the kernel. I guess you need a
traffic generator to repeatedly stream the same pcap file to test.

Having said that, two detect threads (8*0.25) seems fine for the
students, so far.

I've just stopped Suricata again; this time it got

> [8492] 15/2/2011 -- 20:12:15 - (stream-tcp-reassemble.c:352) <Info> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly engine 268435456 (in use 0)

which I guess means it ran out again ...

> [8492] 15/2/2011 -- 20:12:16 - (stream-tcp.c:466) <Info> (StreamTcpFreeConfig) -- Max memuse of stream engine 41353200 (in use 0)

... but that one didn't.

Again, the decode1 thread ended up using all its CPU and the packet
count dropped to 5-6K per second. Strangely, I've not seen that before
today.

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094


More information about the Oisf-users mailing list