[Oisf-users] Tuning Suricata (2.0beta1) -- no rules and lots of packet loss

Cooper F. Nelson cnelson at ucsd.edu
Thu Aug 15 06:24:37 UTC 2013

Hash: SHA1

You don't have enough memory, you need at least two gigs per core.  On
my sensor I have three, so I run with deep ring buffers.  So, you need
at least 96 gigs of RAM on your system (I see you have 64 from the top
printout).  Try setting your ring size small (like 50000) or getting
more memory.

Did you restart irqbalance after you updated the driver?  I've had a
similar issue in the past that was fixed by restarting irqbalance.

IF you really have a limit of 32 RX queues, there is an easy fix for
this.  Just set the 'threads' section in af-packet mode to '32' and it
will use the first 32 cores only.  This will also fix your memory
issues, as only 32 ring buffers will be allocated.

- -Coop

On 8/14/2013 11:03 PM, Tritium Cat wrote:
> I tried all of your recommendations and performance is worse.  Short of
> having the exact same server and single card there's nothing else I can
> match exactly.
> ring-size=300000 exhausts memory and swap.  Even ring-size=100000 is taxing
> on the system and consumes 56GB ram.
> Also updated ixgbe to latest version as recommended on the blog.  Not sure
> if this is connected but oddly it seems now I am reaching a limit of 32
> CPUs/queues with unused cores at 100% idle.  I think there are some errors
> on the blog too with the ixgbe parameters and expectations of queues but
> that is besides the point.  (FdirPballoc is for hardware filters and not
> relevant here?)
> I cannot explain the feeling of how old this is becoming especially when
> all others seem to have success.  I guess maybe the answer must be
> filtering out lots of traffic however the traffic profile is definitely
> less than the 1M to 1.5M pps mentioned in the blog.  (The blog server is
> less powerful too?)
> For now I will just be happy with dropping 10-40% and restarting the IDS
> daily, a half working IDS is better than no IDS :p
> Thanks for the detail it is still helpful.  Better luck tomorrow !
> --TC

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list