[Oisf-users] Tuning Suricata (2.0beta1) -- no rules and lots of packet loss

Wed Aug 21 17:13:11 UTC 2013

I can't remember whether you guys tried PF_RING + DNA + libzero? You
could have 32 queues then, I think. It bypasses the Intel RSS stuff.
(Also, an ugly combination of RSS + PF_RING libzero could enable 16*32
queues, subject to DMA memory constraints, though not sure how well it
would work!)

Best Wishes,
Chris

On 21/08/13 18:00, vpiserchia at gmail.com wrote:
> Hello,
> 
> Intel cards based on 82598/82599 can support up to 16 RSS queues only.
> 
> for example read this:
> 
> http://www.gossamer-threads.com/lists/ntop/misc/30009
> 
> regards
> -v
> 
> On 08/21/2013 06:52 PM, Tritium Cat wrote:
>> No, it doesn't work, at least in the sense of only 1% packet loss being considered a success.  Something odd with the Intel cards is preventing more than 16 hardware queues from being used as the system will only show activity with 16 cores in workers mode, all other CPUs are 100% idle.  The RSS parameter to the ixgbe module needs to be set for each port although it claims to automatically use # of cores or # of ports, whichever is greater.  Also again, about FdirMode=3.. I don't think it applies here.
>>
>> I've since removed the additional cards and just experiment with one.  autofp mode isn't working as I'd expect either.
>>
>> Adjusting the MTU did reduce memory consumption.  I suppose that is meant to reflect the average pMTU of flows and not the link connected to the sensor.  The documentation could be written better to reflect this as that part seems to imply something different.  (yes, reading more about MTU and IDS from various sources makes it clear).  Regarding documentation the af-packet section regarding the zero-copy ring size conflicting with buffer_size should be updated; values that are commented out are assumed to be 'defaults' like in many other configuration scenarios;  I'm glad you pointed this out as it is definitely not apparent to me from just looking at the configuration.
>>
>> I'm going to go away now to read code and experiment more.
>>
>> --TC

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094