[Oisf-users] Suricata with PF_RING on latest git
Edward Fjellskål
edwardfjellskaal at gmail.com
Wed Jul 4 22:00:59 UTC 2012
On 07/04/2012 11:37 PM, Eric Leblond wrote:
> Hello,
>
> Le mercredi 04 juillet 2012 à 22:56 +0200, Edward Fjellskål a écrit
> :
>> ..
>>>> What confuses me is that "-lpthread" is already in the
>>>> generated compile flags, but somehow the order matters, at
>>>> least in Ubuntu 12.04.
>>>
>>> That's weird! I will have a look. I'm currently downloading an
>>> ubuntu.
>>>
>>> People should really use af-packet instead of pf-ring ;)
>> ..
>>
>> Im testing different stuff now, and on an old Intel dual core
>> here, I was seeing 17% packetloss using af-packet with zero copy
>> on a 60Mbit/s link that I feed with tcpreplay. I tried upping
>> buffers, but not much difference :(
>
> Strange. What happen if you increase the number of threads and use
> the flow load balancing:
>
> af-packet: - interface: eth0 threads: 2 cluster-id: 99
> cluster-type: cluster_flow defrag: yes use-mmap: yes
hm....
that brought me down to less than 0.010% packetloss on 70Mbit/s
One thread seems to loose packets, and the other not though :)
Big smile! And very c00l!
>
>
>>
>> With pfring and pfring aware network driver: driver: e1000e
>> version: 2.0.0.1-NAPI firmware-version: 0.15-4
>>
>> I have 0% packetloss on the same amount of traffic....
>>
>> I followed:
>> https://home.regit.org/2012/02/using-af_packet-zero-copy-mode-in-suricata/
>>
>>
>>
for the afpacket ( but the --runmode=worker is incorrect,
>> should be --runmode=workers - there are more such typ0s if you
>> look at --list-runmodes)
>
> Blog fixed. Thanks for the remark. Regarding the list of runmodes,
> there is some stupid typos (my fault I think) but it would break
> backward compatibility if we change it now.
>
> BR,
>
>>
>>> From the testing Im doing now, about 50% of the times I stop
>> suricata, it wont... One time it spit out some info about it
>> taking too long to shut down, and after a little while killed
>> itself!
>>
>> E _______________________________________________ Oisf-users
>> mailing list Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
More information about the Oisf-users
mailing list