[Oisf-users] Suricata on 8 cores, ~70K packets/sec
Chris Wakelin
c.d.wakelin at reading.ac.uk
Tue Feb 15 20:19:07 UTC 2011
On 15/02/11 20:01, Victor Julien wrote:
>
> If this is the case pfring is your friend. It allows you to have
> multiple reader threads that get packets from the kernel. Pfring has
> several ways of dividing packets over the readers. I'd be interested to
> see what happens with a run mode where we'd have cores/2 pfring readers
> with each 2 or 3 processing threads.
>
> Cheers,
> Victor
>
Yes, I was wondering whether Eric's benchmarking gave rather different
results reading a pcap file, compared to using PF_RING on a live stream
as it splits up the data for you in the kernel. I guess you need a
traffic generator to repeatedly stream the same pcap file to test.
Having said that, two detect threads (8*0.25) seems fine for the
students, so far.
I've just stopped Suricata again; this time it got
> [8492] 15/2/2011 -- 20:12:15 - (stream-tcp-reassemble.c:352) <Info> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly engine 268435456 (in use 0)
which I guess means it ran out again ...
> [8492] 15/2/2011 -- 20:12:16 - (stream-tcp.c:466) <Info> (StreamTcpFreeConfig) -- Max memuse of stream engine 41353200 (in use 0)
... but that one didn't.
Again, the decode1 thread ended up using all its CPU and the packet
count dropped to 5-6K per second. Strangely, I've not seen that before
today.
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-users
mailing list