[Oisf-users] getting started with suri -- tuning
Russell Fulton
r.fulton at auckland.ac.nz
Sat Jul 27 23:55:04 UTC 2013
On 27/07/2013, at 11:26 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Hi
>
> I now have suri running on my test sensor (ubuntu with suri from current security onion packages). Machine has 16 cores and 8GB of memory and is seeing order or 800Mbps traffic. Currently using Pcap while I get the pf_ring stuff sorted out.
>
That should have been 32GB memory — the recommended 2GB per core!
> Suri is reporting dropping 70% the packets. I have used the config file that came with SO package — suitably tweaked for our setup.
>
Making progress :)
The main issues seems to have been that I was using pcap. Things behave sensibly when I use either af_packet or pfring.
I had to raise the flow.memcap to avoid the "Flow emergency mode over, back to normal… " messages.
I am sure that I will need to do more tuning before this goes into production but it will do for the moment.
Thanks for the pointers.
Russell
More information about the Oisf-users
mailing list