[Oisf-users] Tuning Suricata (2.0beta1) -- no rules and lots of packet loss
Cooper F. Nelson
cnelson at ucsd.edu
Thu Aug 15 06:24:37 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You don't have enough memory, you need at least two gigs per core. On
my sensor I have three, so I run with deep ring buffers. So, you need
at least 96 gigs of RAM on your system (I see you have 64 from the top
printout). Try setting your ring size small (like 50000) or getting
more memory.
Did you restart irqbalance after you updated the driver? I've had a
similar issue in the past that was fixed by restarting irqbalance.
IF you really have a limit of 32 RX queues, there is an easy fix for
this. Just set the 'threads' section in af-packet mode to '32' and it
will use the first 32 cores only. This will also fix your memory
issues, as only 32 ring buffers will be allocated.
- -Coop
On 8/14/2013 11:03 PM, Tritium Cat wrote:
> I tried all of your recommendations and performance is worse. Short of
> having the exact same server and single card there's nothing else I can
> match exactly.
>
> ring-size=300000 exhausts memory and swap. Even ring-size=100000 is taxing
> on the system and consumes 56GB ram.
>
> Also updated ixgbe to latest version as recommended on the blog. Not sure
> if this is connected but oddly it seems now I am reaching a limit of 32
> CPUs/queues with unused cores at 100% idle. I think there are some errors
> on the blog too with the ixgbe parameters and expectations of queues but
> that is besides the point. (FdirPballoc is for hardware filters and not
> relevant here?)
>
> I cannot explain the feeling of how old this is becoming especially when
> all others seem to have success. I guess maybe the answer must be
> filtering out lots of traffic however the traffic profile is definitely
> less than the 1M to 1.5M pps mentioned in the blog. (The blog server is
> less powerful too?)
>
> For now I will just be happy with dropping 10-40% and restarting the IDS
> daily, a half working IDS is better than no IDS :p
>
> Thanks for the detail it is still helpful. Better luck tomorrow !
>
> --TC
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSDHQlAAoJEKIFRYQsa8FW52cH/Ra9hCCkaILihWKhpIozi7Fh
phjTjJckrsPjOAbtHmUvQmA/JY+D4rY3POyLWOgTsoeXdYOXqPs4dLkpSZtGwND0
NLLz5IBDzQk5GRzqryAKbb9q3SXm+c4bOdc6ML/7sTVhfSNDHCjVygzynubHMVbz
6asVSeXUtiEj6OlCtOMlB2B6eJfeYb+lFwpIonK2JZeBI5EgSkhUPj0JNsZLrSsP
Nu+eEFi37kG0YwoqgYvVcTOWkHRNLgd88e0DsaqraM7sVfJ3GGd11IL6aHwk8riF
xLRhiFoyD5sCIHgB7yzEwHJtgHkRGkJ+JAmQ6tWGMkvZmx/i7uZG0cQgM6+TDQE=
=lg89
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list