[Oisf-users] Using "pass" to ignore research data traffic

[Chris Wakelin]

On 15/01/13 12:28, Peter Manev wrote:
>>
>> That's made a huge difference! I'd just resorted to using PF_RING via
>> libpcap (where the BPF filters may work) which seemed to be doing a bit
>> better. Putting in your patch and going back to direct PF_RING is
>> dropping almost no packets at 1.2Gb/s.
>>
>> Chris  - what is your HW set up, if you don't mind me asking?
> 

Not at all! It's a Dell PowerEdge R620 with 32GB ram (soon to be 64GB I
hope) and an Intel X520-DA2 dual port 10GB card.

I'm using PF_RING + DNA + libzero, and distributing the packets between
three different applications, Suricata and Bro IDS on 8 queues, and
ARGUS on its own queue, each of which sees everything (which I probably
can't do with AF_PACKET and fanout).

About 800-900Mb of that 1.2Gb/s is research data traffic and should
ideally be ignored by Suricata (and Bro) but counted by ARGUS flow-logging.

I'm not using all the CPUs fully yet, (due to problems with libzero; I'm
not able to test changes in that easily at the moment as it upset our
border switch once by *sending* packets; I now have to schedule changes
in our change-management process).

On the student network, I've got an identical machine. The traffic peaks
at 800Mb/s, but is much more balanced, and I'm interested in IDS on all
of it. I'm not running Bro, just Suricata and ARGUS, using 15 queues for
Suricata and one for ARGUS.

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094