[Oisf-users] Suricata Myricom and 10Gbit

Michał Purzyński michalpurzynski1 at gmail.com
Thu Apr 3 20:35:43 UTC 2014 

OK, so after some tunning I can handle a few Gbit/sec of traffic - still
lots to be done but I'm getting somewhere and don't drop packets most of
the time.

Need a sanity check on the option I've set.

  # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.

^^ could you elaborate on that, as in why? I'm curious. Also, is this "up
to Nehalem and not later" ? Everyone seems to recommend the affinity these
days.

What do you think about settings like below? I use 16 threads (2 x 8 core
Xeon) because HT does not seem to make any sense here. HT works by using
unused resources but when Suricata gets hands on my CPUs there won't be
much to spare ;) Or am I wrong?

  set-cpu-affinity: yes

  cpu-affinity:
    - management-cpu-set:
        cpu: [ "all" ]
        mode: "balanced"
        prio:
          default: "low"
    - receive-cpu-set:
        cpu: [ "all" ]
        mode: "balanced"
    - decode-cpu-set:
        cpu: [ "all" ]
        mode: "balanced"
    - stream-cpu-set:
        cpu: [ "all" ]
        mode: "balanced"
    - detect-cpu-set:
        cpu: [ "all" ]
        mode: "exclusive"
        prio:
          default: "high"
    - verdict-cpu-set:
        cpu: [ "all" ]
        mode: "balanced"
        prio:
          default: "high"
    - reject-cpu-set:
        cpu: [ "all" ]
        mode: "balanced"
        prio:
        default: "low"
    - output-cpu-set:
        cpu: [ "all" ]
        mode: "balanced"
        prio:
           default: "medium"


On Tue, Apr 1, 2014 at 11:18 AM, Peter Manev <petermanev at gmail.com> wrote:

> On Tue, Apr 1, 2014 at 1:47 AM, Michał Purzyński
> <michalpurzynski1 at gmail.com> wrote:
> >                      SNF recv pkts:            328287934
> >                 SNF drop ring full:                    0
> >
> > OK. So. The data ring size is for all wokers, i.e. if I allocate 10GB
> than I
> > need just 10GB of physical memory. What made me think otherwise are tools
> > like top, htop, free -m. They actually show num_workers x data_ring_size
> =
> > crazy amount of memory I don't have. But because all workers map the same
> > physical memory it does not matter, because all I need is just a virtual
> > memory to handle the mapping and that's it.
> >
> > Sending around 3.5Gbit/sec now (in peak, goes down to 2Gbit/sec) and
> myricom
> > says that suricata takes all the packets. Will debug the Suricata
> > performance later tomorrow, it's 2AM :-)
> >
> >
>
>
> you should also  try
>   - sgh-mpm-context: full
>
>
> Some info from the stats.log would be useful as well for troubleshooting?
>
> --
> Regards,
> Peter Manev
>



-- 
Michał Purzyński
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140403/35142f8a/attachment-0002.html>

More information about the Oisf-users mailing list