[Oisf-users] Suricata on 8 cores, ~70K packets/sec

Eric Leblond eric at regit.org
Tue Feb 15 23:54:12 UTC 2011


Le mardi 15 février 2011 à 20:19 +0000, Chris Wakelin a écrit :
> On 15/02/11 20:01, Victor Julien wrote:
> > 
> > If this is the case pfring is your friend. It allows you to have
> > multiple reader threads that get packets from the kernel. Pfring has
> > several ways of dividing packets over the readers. I'd be interested to
> > see what happens with a run mode where we'd have cores/2 pfring readers
> > with each 2 or 3 processing threads.
> > 
> > Cheers,
> > Victor
> > 
> Yes, I was wondering whether Eric's benchmarking gave rather different
> results reading a pcap file, compared to using PF_RING on a live stream
> as it splits up the data for you in the kernel. I guess you need a
> traffic generator to repeatedly stream the same pcap file to test.
> Having said that, two detect threads (8*0.25) seems fine for the
> students, so far.

I've continue my test and it seems switching to RunModeFilePcapAutoFp is
a good choice:

Eric Leblond <eric at regit.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110216/a4d9c87c/attachment.sig>

More information about the Oisf-users mailing list