[Oisf-users] Suricata with PF_RING on latest git

Edward Fjellskål edwardfjellskaal at gmail.com
Wed Jul 4 22:00:59 UTC 2012


On 07/04/2012 11:37 PM, Eric Leblond wrote:
> Hello,
> 
> Le mercredi 04 juillet 2012 à 22:56 +0200, Edward Fjellskål a écrit
> :
>> ..
>>>> What confuses me is that "-lpthread" is already in the
>>>> generated compile flags, but somehow the order matters, at
>>>> least in Ubuntu 12.04.
>>> 
>>> That's weird! I will have a look. I'm currently downloading an
>>> ubuntu.
>>> 
>>> People should really use af-packet instead of pf-ring ;)
>> ..
>> 
>> Im testing different stuff now, and on an old Intel dual core
>> here, I was seeing 17% packetloss using af-packet with zero copy
>> on a 60Mbit/s link that I feed with tcpreplay. I tried upping
>> buffers, but not much difference :(
> 
> Strange. What happen if you increase the number of threads and use
> the flow load balancing:
> 
> af-packet: - interface: eth0 threads: 2 cluster-id: 99 
> cluster-type: cluster_flow defrag: yes use-mmap: yes

hm....

that brought me down to less than 0.010% packetloss on 70Mbit/s
One thread seems to loose packets, and the other not though :)

Big smile! And very c00l!

> 
> 
>> 
>> With pfring and pfring aware network driver: driver: e1000e 
>> version: 2.0.0.1-NAPI firmware-version: 0.15-4
>> 
>> I have 0% packetloss on the same amount of traffic....
>> 
>> I followed: 
>> https://home.regit.org/2012/02/using-af_packet-zero-copy-mode-in-suricata/
>>
>>
>> 
for the afpacket ( but the --runmode=worker is incorrect,
>> should be --runmode=workers - there are more such typ0s if you
>> look at --list-runmodes)
> 
> Blog fixed. Thanks for the remark. Regarding the list of runmodes,
> there is some stupid typos (my fault I think) but it would break
> backward compatibility if we change it now.
> 
> BR,
> 
>> 
>>> From the testing Im doing now, about 50% of the times I stop
>> suricata, it wont... One time it spit out some info about it
>> taking too long to shut down, and after a little while killed
>> itself!
>> 
>> E _______________________________________________ Oisf-users
>> mailing list Oisf-users at openinfosecfoundation.org 
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



More information about the Oisf-users mailing list