[Oisf-users] Suricata capture.kernel_drops caused by interrupt problems from single queue network cards
Christophe Vandeplas
christophe at vandeplas.com
Mon Nov 18 13:24:25 UTC 2013
Hi list,
As explained in a previous mail I've been facing performance and
configuration challenges with Suricata. After lots of work and with the
precious help of the Suricata developers, kudo's to Peter Manev for his
patience and help, I was able to pinpoint the cause of the problem.
The network cards I have, e1000e driver, do not have support for multiple
queues. In normal operations this doesn't seem a real problem, but with a
multithreaded Suricata this means that only one CPU core can receive
network traffic. And if that core is to busy, lots, lots, lots of
kernel_drops will occur.
Thanks to the Linux kernel and RPS (Receive Packet Steering) and/or RFS
(Receive Flow Steering) packet distribution functionality is offered
software based and solves this problem for mono-queue NICs/drivers like the
e1000e.
The long story and configuration settings are explained here:
http://christophe.vandeplas.com/2013/11/suricata-capturekerneldrops-caused-by.html
Hope this helps others.
Kind regards
Christophe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131118/6ca6c95b/attachment.html>
More information about the Oisf-users
mailing list