[Oisf-users] Suricata 1 Thread, Af_packet IPS
Peter Manev
petermanev at gmail.com
Sun Nov 10 09:23:15 UTC 2013
On Sun, Nov 10, 2013 at 5:27 AM, Stephen Watson
<steve at mansfieldweather.com> wrote:
> I’ve setup Suricata as an IPS running in af_packet mode. I ran it for a
> while on 2.6 Kernel then decided to move to 3.8 Kernel for multi thread
> testing.
>
>
So you are saying you can't do multi threading testing in 2.6? What is
the reason? What kind of tests are you running?
What are your expectations?
>
> On the 2.6 Kernel the Suricata process CPU usage was showing 130% (dual core
> CPU) at 20 Mbit throughput, yet on the 3.8 Kernel the Suricata thread is
> still at 130% on 20 Mbit, the other worker threads have very low loading, it
> seems the main suricate thread is what has the big hit on the resources.
> So I can’t see any advantage on running the 3.8 Kernel over the 2.6 for a 20
> Mbit internet connection at this point.
>
There is much more to tuning Suricata than upgrading the kernel level
and expecting performance improvement just because you have upgraded ,
without doing tunning and conf changes. By the same logic you could
downgrade to a lower level kernel version as well ...
Is your question towards multi threading advantages of different
kernel versions? Suricata performance tuning in IPS mode?
(Linux kernel version changelog found here -
http://kernelnewbies.org/LinuxVersions )
A bit more info could be useful so that we could help you better.
>
>
> Regards,
>
> Steve
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list