[Oisf-users] performance on VM

Theodore Elhourani theodore.elhourani at gmail.com
Wed Aug 7 20:58:44 UTC 2013

Thank you for the suggestions.

The testing is done under Xen. There is no vpfring support under Xen, it
seems KVM is the only hypervisor implementing vpfring. I am using afpacket,
and have turned off offloading.

The tcp/htp memcaps may need some adjustment.

On Wed, Aug 7, 2013 at 1:28 PM, Peter Manev <petermanev at gmail.com> wrote:

> On Wed, Aug 7, 2013 at 10:18 AM, Duarte Silva
> <duarte.silva at serializing.me> wrote:
> > Hi Theodore,
> >
> > tunning Suricata in a VM is no different from a bare hardware solution.
> The
> > same basic principles apply. You can check this thread [1], it contains
> a lot
> > of pointers.
> >
> > There isn't a recipe though, every setup is different, but usually after
> > fiddling for some time you will get it right :D
> >
> You could try afpacket or pfring.
> Make sure you have the flow timeout values set right in the suricata.yaml.
> There are plenty of tcp/htp memcaps to tweek with
> (stream/reassembly/depth).  You could see in stats log what is hitting
> the memlimits and maybe readjust some memcaps/timeouts based on that.
> There is also the checksum validation that could be useful set to "no"
> especially if on VMware - most  VMs have a lot of offloading features
> enabled by default (gro/tso...) - ethtool -k eth1 -> to find out what
> is sett to offload (on) and what not. NOTE - some guest network card
> features are nonadjustable under 2008 Hyper-V host, but you are
> referring to VMware so this is different.
> Just a suggestion for starters :)
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130807/aeb4b539/attachment-0002.html>

More information about the Oisf-users mailing list