[Oisf-users] Napatech support in Suricata: thread configuration and flow pinning

Stefano Debenedetti ste at demaledetti.net
Thu Dec 13 16:55:08 UTC 2012 

Hello Matt,

thanks for your answer, please see inline:

Il 13/12/2012 17:36, Matthew Keeler ha scritto:
> With 3GD in Suricata the threading configuration is done by Suricata. It uses the builtin auto, autofp or workers run modes with workers being the most efficient in my testing.
> 
> The built in workers run mode will use one thread per stream configured using NTPL. If you want 8 threads, then you should configure 8 streams.


In my understanding, in workers mode all the work on a single packet
(not only capture but also decoding, detection, ...) is done on a
single thread. If this is true then I won't achieve to split the
work between 8 cores for capturing and forwarding and the other 24
cores for doing the rest of the work (decoding, detection, ...).

On the other hand, I don't want to use more than 8 streams for
capturing and forwarding because in my tests it gave worse
performance than with 8 streams.

Therefore, I guess my only option is autofp, is this correct?

ciao
ste

> As for the flow pinning the Napatech card can do it or you can have
it round robin packets to the individual streams. As for the flow
pinning in Suricata, someone else can provide a more in depth answer
on the subject.
> 
> Matt Keeler
> nPulse Technologies, Inc.
> mk at npulsetech.com
> 
> On Dec 13, 2012, at 11:16 AM, Stefano Debenedetti <ste at demaledetti.net> wrote:
> 
>> hello,
>>
>> I'm happy to see that 3rd generation drivers support for Napatech
>> cards is going to be in 1.4.
>>
>> I am testing a NT20E2 In-Line card [1] and using Napatech's example
>> packet forwarding program I found out that the best performance is
>> achieved with 8 cores (0 packet drop with full-duplex 10G link fully
>> saturated at any packet size) but I have 32 cores on my test machine
>> so I would like to use the other 24 cores for packet decoding,
>> reassembly and detection.
>>
>> I find Suricata's threading configuration a bit hard to understand,
>> could anybody please point me to an example of how to do this?
>>
>> Another question: the card has its own hardware-based 5-tuple
>> bi-directional flow-pinning functionality that will make packets
>> from same flow stay on the same core, in a setup like what I
>> described above there would be another layer of flow-pinning made in
>> software by Suricata, right?
>>
>> Thanks ciao
>> ste
>>
>> [1]
>> http://www.napatech.com/products/in-line_adapters/2x10g_pcie_nt20e2.html
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> 
> 
> --------------------------------------------------------------------
> The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.
>

More information about the Oisf-users mailing list