[Oisf-users] Suricata and CPU threads

Peter Manev petermanev at gmail.com
Fri Aug 24 10:29:20 UTC 2012


I just wanted to add (since you are going to compare pfring and afpacket),
that during test runs with the team a few weeks ago
with
1.3.1 (corresponding git back then)
afpacket
8cpu/16threads
5K ruleset
16G RAM
on a 9.5Gb ISP traffic

we were able to achieve 75%cpu load and 0 drops
IMHO - is pretty good

if you desire any help, do not hesitate...

On Fri, Aug 24, 2012 at 12:03 PM, Victor Julien <victor at inliniac.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Eric's post
> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/ also has
> some example config on irq affinity and other performance config options.
>
> On 08/23/2012 05:23 PM, Martin Holste wrote:
> > You should set the cluster-id for pfring as well as the
> > cluster-type: cluster_flow in suricata.yaml.  Also, you should set
> > threads: 8 (no more than 8 or you get diminishing returns).  If you
> > set the interface, then you can start with --pfring instead of
> > --pfring-int= .
> >
> > On Thu, Aug 23, 2012 at 6:53 AM, Peter Bates
> > <peter.bates at ucl.ac.uk> wrote:
> >
> > Hello all
> >
> > First of all, congratulations on Suricata 1.3.1!
> >
> > I've been reading the 'Threading' section of
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
> >
> >  and would still appreciate a few pointers.
> >
> > I'm intending to use PF_RING for packet capture and am used to
> > spawning multiple instances of Snort which are specifically bound
> > to CPU cores - and also running 'set_irq_affinity.sh' to tie ixgbe
> > IRQs to specific cores.
> >
> > I have 16 cores/32 threads - will the default suricata.yaml work
> > accordingly if I select --pfring-int=ethX ?
> >
> > I'm tempted to compare AF_PACKET + PACKET_FANOUT against PF_RING
> > but I'm not keen on running too many 'experimental' (to quote
> > suricata.yaml) features.
> >
> >>
> >> _______________________________________________ Oisf-users
> >> mailing list Oisf-users at openinfosecfoundation.org
> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >>
> _______________________________________________
> > Oisf-users mailing list Oisf-users at openinfosecfoundation.org
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> - --
> - ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> - ---------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAlA3UX0ACgkQiSMBBAuniMdxOwCfUvtvqnpETA1h4cttHSTVvuzN
> nyUAn1yZTBN58s0Fqtf5L/AaTT4YPaoL
> =ALiW
> -----END PGP SIGNATURE-----
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120824/98fe1b6b/attachment-0002.html>


More information about the Oisf-users mailing list