[Oisf-users] Suricata on 8 cores, ~70K packets/sec

Eric Leblond eric at regit.org
Tue Feb 15 19:55:05 UTC 2011


Le mardi 15 février 2011 à 12:44 -0500, Robert Vineyard a écrit :
> On 02/15/2011 12:09 PM, Eric Leblond wrote:
> > You may have a look at this post on my blog:
> > 	http://home.regit.org/?p=438
> > A git version of suricata is required for the fine tuning described in
> > the page but you can also play with the threads multiplicator. On a eight
> > core, you could try something lower like 0.25.
> After reading your blog post, I'm wondering if perhaps Suricata is running
> into the same kinds of issues that have plagued the much-delayed
> multi-threaded Snort 3.0:
> http://securitysauce.blogspot.com/2009/04/snort-30-beta-3-released.html
> I'm not sure how much if any code in Suricata is shared with Snort, but I
> found Marty's analysis here to be very enlightening.

Multithreading brings some complex issue and it can be very hard to find
how to deal with it.

I've continued my investigation on Suricata and I arrive to a simple
conclusion. It appears that we've got something like a ratio issue
between the reading capabilities and the treatment capabilities. Two
core/thread seems to be enough to treat the flow read by one core/thread
(in pcap file mode). If we have more than two core, a lot of time is
spent in waiting for data.

I will try to update my post on the blog as soon as I have significant
element of proof.

Eric Leblond <eric at regit.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110215/2e2d4d8a/attachment.sig>

More information about the Oisf-users mailing list