[Oisf-users] Suricata capture.kernel_drops caused by interrupt problems from single queue network cards
Christophe Vandeplas
christophe at vandeplas.com
Wed Nov 20 14:55:13 UTC 2013
Thanks to feedback from Eric an lot more simple change is to configure
AF_PACKET with the cluster-type: cluster_flow instead of cluster_cpu.
That seems to also provide a kind of loadbalancing over different CPUs.
top -H confirms this works indeed.
On Mon, Nov 18, 2013 at 2:24 PM, Christophe Vandeplas
<christophe at vandeplas.com> wrote:
> Hi list,
>
> As explained in a previous mail I've been facing performance and
> configuration challenges with Suricata. After lots of work and with the
> precious help of the Suricata developers, kudo's to Peter Manev for his
> patience and help, I was able to pinpoint the cause of the problem.
>
> The network cards I have, e1000e driver, do not have support for multiple
> queues. In normal operations this doesn't seem a real problem, but with a
> multithreaded Suricata this means that only one CPU core can receive network
> traffic. And if that core is to busy, lots, lots, lots of kernel_drops will
> occur.
>
> Thanks to the Linux kernel and RPS (Receive Packet Steering) and/or RFS
> (Receive Flow Steering) packet distribution functionality is offered
> software based and solves this problem for mono-queue NICs/drivers like the
> e1000e.
>
> The long story and configuration settings are explained here:
> http://christophe.vandeplas.com/2013/11/suricata-capturekerneldrops-caused-by.html
>
> Hope this helps others.
>
> Kind regards
> Christophe
More information about the Oisf-users
mailing list