[Oisf-users] Tuning Suricata Inline IPS performance
Dave Remien
dave.remien at gmail.com
Mon Nov 21 14:50:10 UTC 2011
You might want to look at Patrick McHardy's mem-mapped netlink and
nfnetlink_queue, referenced here:
http://home.regit.org/2011/08/patrick-mchardy-memory-mapped-netlink-and-nfnetlink_queue/
Regards,
Dave
On Mon, Nov 21, 2011 at 1:00 AM, Hariharan Thantry <thantry at gmail.com>wrote:
> Hi follks,
>
> I'm trying to squeeze out the maximum performance (throughput) from a
> Suricata inline IPS forwarding machine (configured as a gateway). My setup
> (for testing) is the following (all machines running stock 11.10 Ubuntu,
> with extra packages as necessary):
>
> Machine A (Client): Regular Desktop with one dual ported 10G 82599 NICs
> Machine B (Bridge, hosting Suricata): An entry level Xeon with 2 dual
> ported 10G 82599 NICs
> http://www.newegg.com/Product/Product.aspx?Item=N82E16813131725
> Machine C (Server): Regular Desktop with one dual ported 10G 82599 NIC
>
> The forwarding performance of the bridge with the single 10G connection
> active is ~9.5 Gbps (almost line rate), while with both 10G connections
> active is ~ 13 Gbps
>
> When I turn on Suricata (latest 1.1 release version), with the defaults,
> the speeds range between 350kbps-1Mbps (using emerging threats ruleset). I
> only have a single iptables rule that forwards all packets to the NFQUEUE
> target. I have enabled nfqueue with queue-balancing turned on. I did see
> the higher speed range (~1Mbps) achieved when I increased the number of
> default packets for simultaneous processing to ~ 4K.
>
> Few questions:
>
> (a) Can one use any other lower level packet capturing infrastructure
> instead of NFQUEUE (PF_RING, for example with TNAPI, for e.g.?)
> (b) Is it possible at all to avoid copying the packet over, even when
> using NFQUEUE (the nfqueue library seems to be allowing this..?), and thus
> improve speeds
> (c) Other tunable knobs (either in Suricata, or lower level tcp
> parameters) that I could use to try and improve performance?
>
>
> Thanks,
> Hari
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
--
".... We are such stuff
As dreams are made on; and our little life
Is rounded with a sleep."
-- Shakespeare, The Tempest - Act 4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111121/ca40f2a7/attachment-0002.html>
More information about the Oisf-users
mailing list