[Oisf-users] getting started with suri -- tuning
Duarte Silva
duarte.silva at serializing.me
Mon Jul 29 13:51:31 UTC 2013
On Saturday 27 July 2013 23:55:04 Russell Fulton wrote:
> On 27/07/2013, at 11:26 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> > Hi
> >
> > I now have suri running on my test sensor (ubuntu with suri from current
> > security onion packages). Machine has 16 cores and 8GB of memory and is
> > seeing order or 800Mbps traffic. Currently using Pcap while I get the
> > pf_ring stuff sorted out.
> That should have been 32GB memory — the recommended 2GB per core!
>
> > Suri is reporting dropping 70% the packets. I have used the config file
> > that came with SO package — suitably tweaked for our setup.
> Making progress :)
>
> The main issues seems to have been that I was using pcap. Things behave
> sensibly when I use either af_packet or pfring.
>
> I had to raise the flow.memcap to avoid the "Flow emergency mode over, back
> to normal… " messages.
>
> I am sure that I will need to do more tuning before this goes into
> production but it will do for the moment.
>
> Thanks for the pointers.
>
> Russell
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
Hi Russell,
one thing you can also try is to set CPU affinity for each receive queue,
increase the RX ring buffer size to the maximum that is allowed by the hardware
and disabling the offload capabilities of the network interface.
Follows example, note that the IRQ affinity and the RX queue balancing is for a
four core processor.
# Increase the RX ring buffer on the sniffing interface
ethtool -G eth1 rx 4096
# Disable offload features
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 tso off
ethtool -K eth1 gso off
ethtool -K eth1 gro off
ethtool -K eth1 lro off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
# Set the IRQ affinity
echo 1 >/proc/irq/80/smp_affinity
echo 2 >/proc/irq/81/smp_affinity
echo 4 >/proc/irq/82/smp_affinity
echo 8 >/proc/irq/83/smp_affinity
# Balance evenly the receive queues
ethtool -X eth1 equal 4
Regards,
Duarte
More information about the Oisf-users
mailing list