[Oisf-users] Suricata capture.kernel_drops caused by interrupt problems from single queue network cards
vpiserchia at gmail.com
vpiserchia at gmail.com
Mon Nov 18 13:38:40 UTC 2013
Hello Christophe,
On 11/18/2013 02:24 PM, Christophe Vandeplas wrote:
> Hi list,
>
> As explained in a previous mail I've been facing performance and configuration challenges with Suricata. After lots of work and with the precious help of the Suricata developers, kudo's to Peter Manev for his patience and help, I was able to pinpoint the cause of the problem.
>
> The network cards I have, e1000e driver, do not have support for multiple queues. In normal operations this doesn't seem a real problem, but with a multithreaded Suricata this means that only one CPU core can receive network traffic. And if that core is to busy, lots, lots, lots of kernel_drops will occur.
>
> Thanks to the Linux kernel and RPS (Receive Packet Steering) and/or RFS (Receive Flow Steering) packet distribution functionality is offered software based and solves this problem for mono-queue NICs/drivers like the e1000e.
>
> The long story and configuration settings are explained here: http://christophe.vandeplas.com/2013/11/suricata-capturekerneldrops-caused-by.html
>
> Hope this helps others.
thank you very much for explaining and sharing all this
best regards
vito
>
> Kind regards
> Christophe
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
More information about the Oisf-users
mailing list