[Oisf-users] Tuning Suricata (2.0beta1) -- no rules and lots of packet loss

Tritium Cat tritium.cat at gmail.com
Wed Aug 21 17:11:59 UTC 2013 

Hello.  Yes I am aware of that.  You've not read the entire thread; I was
using more than one card.

--TC


On Wed, Aug 21, 2013 at 10:00 AM, vpiserchia at gmail.com <vpiserchia at gmail.com
> wrote:

> Hello,
>
> Intel cards based on 82598/82599 can support up to 16 RSS queues only.
>
> for example read this:
>
> http://www.gossamer-threads.com/lists/ntop/misc/30009
>
> regards
> -v
>
> On 08/21/2013 06:52 PM, Tritium Cat wrote:
> > No, it doesn't work, at least in the sense of only 1% packet loss being
> considered a success.  Something odd with the Intel cards is preventing
> more than 16 hardware queues from being used as the system will only show
> activity with 16 cores in workers mode, all other CPUs are 100% idle.  The
> RSS parameter to the ixgbe module needs to be set for each port although it
> claims to automatically use # of cores or # of ports, whichever is greater.
>  Also again, about FdirMode=3.. I don't think it applies here.
> >
> > I've since removed the additional cards and just experiment with one.
>  autofp mode isn't working as I'd expect either.
> >
> > Adjusting the MTU did reduce memory consumption.  I suppose that is
> meant to reflect the average pMTU of flows and not the link connected to
> the sensor.  The documentation could be written better to reflect this as
> that part seems to imply something different.  (yes, reading more about MTU
> and IDS from various sources makes it clear).  Regarding documentation the
> af-packet section regarding the zero-copy ring size conflicting with
> buffer_size should be updated; values that are commented out are assumed to
> be 'defaults' like in many other configuration scenarios;  I'm glad you
> pointed this out as it is definitely not apparent to me from just looking
> at the configuration.
> >
> > I'm going to go away now to read code and experiment more.
> >
> > --TC
> >
> >
> > autofp Example:
> >
> > capture.kernel_packets    | RxAFPeth41                | 7117283101
> > capture.kernel_drops      | RxAFPeth41                | 4885784393
> > capture.kernel_packets    | RxAFPeth42                | 7290835993
> > capture.kernel_drops      | RxAFPeth42                | 5061427961
> > capture.kernel_packets    | RxAFPeth43                | 7213432976
> > capture.kernel_drops      | RxAFPeth43                | 4941736439
> > capture.kernel_packets    | RxAFPeth44                | 7273721753
> > capture.kernel_drops      | RxAFPeth44                | 5046375696
> > capture.kernel_packets    | RxAFPeth45                | 7702660203
> > capture.kernel_drops      | RxAFPeth45                | 5473406098
> > capture.kernel_packets    | RxAFPeth46                | 6526210366
> > capture.kernel_drops      | RxAFPeth46                | 4280571057
> > capture.kernel_packets    | RxAFPeth47                | 7473635100
> > capture.kernel_drops      | RxAFPeth47                | 5264888903
> > capture.kernel_packets    | RxAFPeth48                | 8001217687
> > capture.kernel_drops      | RxAFPeth48                | 5781338601
> > capture.kernel_packets    | RxAFPeth49                | 7935510106
> > capture.kernel_drops      | RxAFPeth49                | 5684606164
> > capture.kernel_packets    | RxAFPeth410               | 6672471328
> > capture.kernel_drops      | RxAFPeth410               | 4480440331
> > capture.kernel_packets    | RxAFPeth411               | 4012330752
> > capture.kernel_drops      | RxAFPeth411               | 2650530005
> > capture.kernel_packets    | RxAFPeth412               | 6938284654
> > capture.kernel_drops      | RxAFPeth412               | 4686886437
> > capture.kernel_packets    | RxAFPeth413               | 7368646714
> > capture.kernel_drops      | RxAFPeth413               | 5117305059
> > capture.kernel_packets    | RxAFPeth414               | 5284771030
> > capture.kernel_drops      | RxAFPeth414               | 3751148947
> > capture.kernel_packets    | RxAFPeth415               | 7373582300
> > capture.kernel_drops      | RxAFPeth415               | 5176332364
> > capture.kernel_packets    | RxAFPeth416               | 7114510564
> > capture.kernel_drops      | RxAFPeth416               | 4903112771
> > capture.kernel_packets    | RxAFPeth417               | 68112
> > capture.kernel_drops      | RxAFPeth417               | 0
> > capture.kernel_packets    | RxAFPeth418               | 80839
> > capture.kernel_drops      | RxAFPeth418               | 0
> > capture.kernel_packets    | RxAFPeth419               | 77292
> > capture.kernel_drops      | RxAFPeth419               | 0
> > capture.kernel_packets    | RxAFPeth420               | 90287
> > capture.kernel_drops      | RxAFPeth420               | 0
> > capture.kernel_packets    | RxAFPeth421               | 78012
> > capture.kernel_drops      | RxAFPeth421               | 0
> > capture.kernel_packets    | RxAFPeth422               | 74278
> > capture.kernel_drops      | RxAFPeth422               | 0
> > capture.kernel_packets    | RxAFPeth423               | 79919
> > capture.kernel_drops      | RxAFPeth423               | 0
> > capture.kernel_packets    | RxAFPeth424               | 84155
> > capture.kernel_drops      | RxAFPeth424               | 0
> > capture.kernel_packets    | RxAFPeth425               | 84760
> > capture.kernel_drops      | RxAFPeth425               | 0
> > capture.kernel_packets    | RxAFPeth426               | 85328
> > capture.kernel_drops      | RxAFPeth426               | 0
> > capture.kernel_packets    | RxAFPeth427               | 81765
> > capture.kernel_drops      | RxAFPeth427               | 0
> > capture.kernel_packets    | RxAFPeth428               | 83583
> > capture.kernel_drops      | RxAFPeth428               | 0
> > capture.kernel_packets    | RxAFPeth429               | 91101
> > capture.kernel_drops      | RxAFPeth429               | 0
> > capture.kernel_packets    | RxAFPeth430               | 104013
> > capture.kernel_drops      | RxAFPeth430               | 0
> > capture.kernel_packets    | RxAFPeth431               | 92905
> > capture.kernel_drops      | RxAFPeth431               | 0
> > capture.kernel_packets    | RxAFPeth432               | 98068
> > capture.kernel_drops      | RxAFPeth432               | 0
> >
> >
> >
> > On Sun, Aug 18, 2013 at 10:43 PM, Cooper F. Nelson <cnelson at ucsd.edu<mailto:
> cnelson at ucsd.edu>> wrote:
> >
> > No problem and please let us know if the 'worker' mode config works for
> > you.  I'm planning on building a 40gig sensor and it would help if I
> > knew how it performed with multiple NICs.
> >
> > -Coop
> >
> > On 8/16/2013 5:36 PM, Tritium Cat wrote:
> >> Cooper,
> >
> >> Thanks again for the explanations and supporting information.
> >
> >> --TC
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130821/8a13647b/attachment-0002.html>

More information about the Oisf-users mailing list