[Oisf-users] Suricata capture.kernel_drops caused by interrupt problems from single queue network cards
Eric Leblond
eric at regit.org
Wed Nov 20 15:41:20 UTC 2013
Hello,
On Wed, 2013-11-20 at 15:55 +0100, Christophe Vandeplas wrote:
> Thanks to feedback from Eric an lot more simple change is to configure
> AF_PACKET with the cluster-type: cluster_flow instead of cluster_cpu.
>
> That seems to also provide a kind of loadbalancing over different CPUs.
> top -H confirms this works indeed.
Good news but the RPS thing is still cool. Maybe it could be interesting
to test the difference provided by the 2 modes.
A few explanation on cluster_flow:
When cluster_flow is set, the kernel is delivering the packet on the
different listening socket by doing a flow based load balancing. It
computes a key corresponding to the flow tuple and deliver each packet
with same key to the same socket.
On Suricata side, one capture thread is dedicated to each socket and
thus there is a load balancing on all CPUs due to this.
In your case, the IRQ will be shared and this will not be as optimal as
a multiqueue card but at least all CPUs will work on intensive task like
detect.
BR,
--
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/
More information about the Oisf-users
mailing list