[Oisf-users] Suricata with PF_RING on latest git

Eric Leblond eric at regit.org
Thu Jul 5 05:55:31 UTC 2012 

Hello,

Le jeudi 05 juillet 2012 à 00:00 +0200, Edward Fjellskål a écrit :
> On 07/04/2012 11:37 PM, Eric Leblond wrote:
> > Hello,
> > 
> > Le mercredi 04 juillet 2012 à 22:56 +0200, Edward Fjellskål a écrit
> > :
> >> ..
> >>>> What confuses me is that "-lpthread" is already in the
> >>>> generated compile flags, but somehow the order matters, at
> >>>> least in Ubuntu 12.04.
> >>> 
> >>> That's weird! I will have a look. I'm currently downloading an
> >>> ubuntu.
> >>> 
> >>> People should really use af-packet instead of pf-ring ;)
> >> ..
> >> 
> >> Im testing different stuff now, and on an old Intel dual core
> >> here, I was seeing 17% packetloss using af-packet with zero copy
> >> on a 60Mbit/s link that I feed with tcpreplay. I tried upping
> >> buffers, but not much difference :(
> > 
> > Strange. What happen if you increase the number of threads and use
> > the flow load balancing:
> > 
> > af-packet: - interface: eth0 threads: 2 cluster-id: 99 
> > cluster-type: cluster_flow defrag: yes use-mmap: yes
> 
> hm....
> 
> that brought me down to less than 0.010% packetloss on 70Mbit/s
> One thread seems to loose packets, and the other not though :)
> 
> Big smile! And very c00l!

That's the kind of mail I like in the morning :)

I woke up with this morning what I thought is an explanation. I've setup
a ring buffer with a too small size which could cause the packet loss
you've observed.

The attached patch should fix the issue. The default setup should be ok
but you can now setup the ring size (in number of packet) via the
ring-size variable.

For example, if you're max_pending_packets is 1024, a memory aggressive
setup would be:

af-packet:
  - interface: eth0
    threads: 2
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    ring-size: 2048

This will cause suricata to allocate a ring buffer of size "ring-size *
MTU size" for each threads.

BR,
-- 
Eric Leblond 
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-af-packet-improve-mmaped-running-mode.patch
Type: text/x-patch
Size: 4667 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120705/b17648ba/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120705/b17648ba/attachment.sig>

More information about the Oisf-users mailing list