[Oisf-users] Suricata on 8 cores, ~70K packets/sec

Eric Leblond eric at regit.org
Tue Feb 15 17:09:05 UTC 2011


On Tuesday, 2011 February 15 at 16:48:04 +0000, Chris Wakelin wrote:
> Apologies for the long post!
> Here's some logs from the Suricata instance monitoring our student
> residences (no prizes for guessing which rules they trigger most often
> ...). We have an identical machine monitoring the campus network.
> I'm not sure whether setting CPU affinity would help; the comment "On
> Intel Core2 and Nehalem CPU's enabling this will degrade performance"
> put me off, though in fact our CPUs are slightly older:
> > model name      : Intel(R) Xeon(R) CPU           X5355  @ 2.66GHz
> > flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm dca lahf_lm tpr_shadow
> Any hints and pointers would be most welcome!

You may have a look at this post on my blog:
A git version of suricata is required for the fine tuning described in
the page but you can also play with the threads multiplicator. On a eight
core, you could try something lower like 0.25.

Eric Leblond <eric at regit.org>

More information about the Oisf-users mailing list