[Oisf-users] getting started with suri -- tuning

Cooper F. Nelson cnelson at ucsd.edu
Wed Jul 31 14:51:06 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russell,

When dealing with performance issues, try setting the stream depth and
timeouts very low.  Like <1Mb and 5 secs, respectively.  I've found
these settings have had the most effect on improving performance in
environments with lots of tcp flows.

Once you get that dialed in, if you want better performance you need to
buy a box with more cores.

- -Coop

On 7/29/2013 6:51 AM, Duarte Silva wrote:
> On Saturday 27 July 2013 23:55:04 Russell Fulton wrote:
>> On 27/07/2013, at 11:26 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>>> Hi
>>>
>>> I now have suri running on my test sensor (ubuntu with suri from current
>>> security onion packages).  Machine has 16 cores and 8GB of memory and is
>>> seeing order or 800Mbps traffic.  Currently using Pcap while I get the
>>> pf_ring stuff sorted out.
>> That should have been 32GB memory — the recommended 2GB per core!
>>
>>> Suri is reporting dropping 70% the packets.  I have used the config file
>>> that came with SO package — suitably tweaked for our setup.
>> Making progress :)
>>
>> The main issues seems to have been that I was using pcap. Things behave
>> sensibly when I use either af_packet or pfring.
>>
>> I had to raise the flow.memcap to avoid the "Flow emergency mode over, back
>> to normal… " messages.
>>
>> I am sure that I will need to do more tuning before this goes into
>> production but it will do for the moment.
>>
>> Thanks for the pointers.
>>
>> Russell
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> 
> Hi Russell,
> 
> one thing you can also try is to set CPU affinity for each receive queue, 
> increase the RX ring buffer size to the maximum that is allowed by the hardware 
> and disabling the offload capabilities of the network interface.
> 
> Follows example, note that the IRQ affinity and the RX queue balancing is for a 
> four core processor.
> 
> # Increase the RX ring buffer on the sniffing interface
> ethtool -G eth1 rx 4096
> 
> # Disable offload features
> ethtool -K eth1 rx off
> ethtool -K eth1 tx off
> ethtool -K eth1 sg off
> ethtool -K eth1 tso off
> ethtool -K eth1 gso off
> ethtool -K eth1 gro off
> ethtool -K eth1 lro off
> ethtool -K eth1 rxvlan off
> ethtool -K eth1 txvlan off
> 
> # Set the IRQ affinity
> echo 1 >/proc/irq/80/smp_affinity
> echo 2 >/proc/irq/81/smp_affinity
> echo 4 >/proc/irq/82/smp_affinity
> echo 8 >/proc/irq/83/smp_affinity
> 
> # Balance evenly the receive queues
> ethtool -X eth1 equal 4
> 
> Regards,
> Duarte
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR+SRaAAoJEKIFRYQsa8FW2QkH/1DRMYPUMbC3FeGvf+1iKIul
gZdW35V+CITsCVjmTJi+NL5dvtNsm16mAnZoDQjFjf59mMvBSQgkrXpoCq4p8epQ
tej67tE0KRLH7kYdZPGP1t5I+7rFGn1C7artkQ2tG2zciJVG6HrT8PJmg2W4x87U
2vEhFd1qR+MU4Ua90oLIHuOxymDWsANTO3o5McwgFlKMOJFyUEmLAT1luIL7P6Tz
MFCR6YqLKWieNXUBiitwG3nfd2x3+n8sZARzvwKAwTZToI547nrkjI+KoTrasOai
ruW4CZEgtPBV3wKvB4U5UW14f7Jl5g4lqTnBErsefS7VWShotabae4DxOOhXdUg=
=wttZ
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list