[Oisf-users] Suricata on FreeBSD 10, netisr problem

Shirkdog shirkdog at gmail.com
Fri Apr 4 14:48:28 UTC 2014 

To look to FreeBSD, you would need to provide additional information.
If there is nothing dumping, kernel dumps, dmesg output, it may be
something specific to Suricata.

Some things from FreeBSD Wiki on Net tuning and Netisr

https://wiki.freebsd.org/NetworkPerformanceTuning

Netisr
Bump net.route.netisr_maxqlen to 2048 or higher value.
This can affect you iff you're doing shaping.
Do NOT use netisr policy other than 'direct' if you can.
Current netisr implementation can't split traffic into different ISR
queues (patches are coming, 2012-02-23).
Every queue is covered by mutex which is much worse than using
buf_ring(9) api (patches are coming, 2012-02-23).

Performance loss of 10-30% was observed on various scenarios (direct
dispatch vs deferred of hybrid).



---
Michael Shirk


On Fri, Apr 4, 2014 at 8:47 AM, Özkan KIRIK <ozkan.kirik at gmail.com> wrote:
> Hi,
>
> I am trying to use suricata on FreeBSD 10 amd64.
> FreeBSD behaves as a VLAN router and NAT Box.
>
> Traffic is about 400Mbps.
> When i diverted traffic to suricata, ( add 100 divert 8000 all from any to
> any via em0 )
> swi: netisr 0 thread gets %100 cpu.
> other netisr threads are %0. And Even I remove the divert rule, netisr still
> eats %100 cpu.  I think that something looping :)
> And after 1-2 minutes, one of igb0 and igb1 stops working.
> Only reboot solves problem.
>
> Hardware has 8 cores, 24GB Ram
>
> My loader.conf :
>
> hw.igb.txd="4096"
> hw.igb.rxd="4096"
> hw.igb.rx_process_limit=1024
> hw.igb.num_queues=3
> net.isr.maxthreads=3
> net.isr.bindthreads=1
> net.isr.defaultqlimit=4096
> net.isr.maxqlimit=20480
> net.link.ifqmaxlen=10240
>
> How can I debug this situation?
> Any suggestions?
>
> Best regards
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list