[Oisf-users] Suricata 1 Thread, Af_packet IPS

Duarte Silva duarte.silva at serializing.me
Sun Nov 10 09:45:28 UTC 2013 

Hi guys,

in RHEL based Linux distributions (kernel 2.6.x) AF_PACKET does not have
the packet fan out feature. Hence the necessary update to kernel 3.x.

If you are getting unbalanced workloads in the CPU's under worker mode,
search the list  for "IRQ", "performance","10gbps and beyond". You'll find
threads dealing with such issues.

^^ this is what I can remember from the top of my head

Cheers,
Duarte
On 10 Nov 2013 09:23, "Peter Manev" <petermanev at gmail.com> wrote:

> On Sun, Nov 10, 2013 at 5:27 AM, Stephen Watson
> <steve at mansfieldweather.com> wrote:
> > I’ve setup Suricata as an IPS running in af_packet mode.   I ran it for a
> > while on 2.6 Kernel then decided to move to 3.8 Kernel for multi thread
> > testing.
> >
> >
>
> So you are saying you can't do multi threading testing in 2.6? What is
> the reason? What kind of tests are you running?
> What are your expectations?
>
> >
> > On the 2.6 Kernel the Suricata process CPU usage was showing 130% (dual
> core
> > CPU) at 20 Mbit throughput, yet on the 3.8 Kernel the Suricata thread is
> > still at 130% on 20 Mbit, the other worker threads have very low
> loading, it
> > seems the main suricate thread is what has the big hit on the resources.
> > So I can’t see any advantage on running the 3.8 Kernel over the 2.6 for
> a 20
> > Mbit internet connection at this point.
> >
>
> There is much more to tuning Suricata than upgrading the kernel level
> and expecting performance improvement just because you have upgraded ,
> without doing tunning and conf changes. By the same logic you could
> downgrade to a lower level kernel version as well ...
>
> Is your question towards multi threading advantages of different
> kernel versions? Suricata performance tuning in IPS mode?
> (Linux kernel version changelog found here -
> http://kernelnewbies.org/LinuxVersions )
>
> A bit more info could be useful so that we could help you better.
>
>
> >
> >
> > Regards,
> >
> > Steve
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131110/989c62c4/attachment-0002.html>

More information about the Oisf-users mailing list