[Oisf-users] Suricata threading

Peter Manev petermanev at gmail.com
Thu Aug 14 14:37:07 UTC 2014 

On Thu, Aug 14, 2014 at 4:32 PM, Shirkdog <shirkdog at gmail.com> wrote:
> I would also add Peter's guide for configuring Suricata for high performance:
>
> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/

Eric's :)

>
> ---
> Michael Shirk
>
>
> On Thu, Aug 14, 2014 at 7:26 AM, Peter Manev <petermanev at gmail.com> wrote:
>> On Thu, Aug 14, 2014 at 12:26 PM, Russell Fulton
>> <r.fulton at auckland.ac.nz> wrote:
>>> Thanks Duarte and Coop!
>>>
>>> On 14/08/2014, at 7:11 pm, Duarte Silva <duarte.silva at serializing.me> wrote:
>>>
>>> Hi,
>>>
>>> in your configuration you should enable affinity :P
>>>
>>> #
>>> # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
>>> #
>>> set-cpu-affinity: no
>>>
>>>
>>> Change this to yes, otherwise any settings bellow will be ignored.
>>>
>>>
>>> I fixed that but the behaviour has not changed much  it is still hogging one
>>> CPU.
>>>
>>> Looking at the startup logs I see:
>>>
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Core
>>> dump size set to unlimited.
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> dropped the caps for main thread
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - fast
>>> output device (regular) initialized: fast.log
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> Unified2-alert initialized: filename unified2.alert, limit 32 MB
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> Adding interface eth3 from config file
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found
>>> affinity definition for "management-cpu-set"
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found
>>> affinity definition for "receive-cpu-set"
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found
>>> affinity definition for "decode-cpu-set"
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found
>>> affinity definition for "stream-cpu-set"
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found
>>> affinity definition for "detect-cpu-set"
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using
>>> default prio 'medium'
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found
>>> affinity definition for "verdict-cpu-set"
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using
>>> default prio 'high'
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found
>>> affinity definition for "reject-cpu-set"
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using
>>> default prio 'low'
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found
>>> affinity definition for "output-cpu-set"
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using
>>> default prio 'medium'
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using
>>> flow cluster mode for PF_RING (iface eth3)
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Going
>>> to use 1 thread(s)
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> Setting affinity on CPU 13
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> Setting prio -2 for "RxPFReth31" Module to cpu/core 13, thread id 9432
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Error> -
>>> [ERRCODE: SC_ERR_THREAD_NICE_PRIO(47)] - Error setting nice value for thread
>>> RxPFReth31: Operation not permitted
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> (RxPFReth31) Using PF_RING v.5.6.1, interface eth3, cluster-id 99,
>>> single-pfring-thread
>>> Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> RunModeIdsPfringWorkers initialised
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> Setting prio 0 for "FlowManagerThread" thread , thread id 9433
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream "max-sessions": 262144
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream "prealloc-sessions": 32768
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream "memcap": 33554432
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream "midstream" session pickups: disabled
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream "async-oneside": disabled
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream "checksum-validation": enabled
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream."inline": disabled
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream.reassembly "memcap": 67108864
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream.reassembly "depth": 1048576
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream.reassembly "toserver-chunk-size": 2560
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> -
>>> stream.reassembly "toclient-chunk-size": 2560
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:09 - <Info> -
>>> Setting prio 0 for "SCPerfWakeupThread" thread , thread id 9434
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:09 - <Info> -
>>> Setting prio 0 for "SCPerfMgmtThread" thread , thread id 9435
>>> Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:09 - <Info> - all 1
>>> packet processing threads, 3 management threads initialized, engine started.
>>>
>>> I get affinity set for just cpu 13.
>>>
>>> I am guessing the nice fails because I have dropped prigs.
>>>
>>> here is the current config:
>>>
>>> # Tune cpu affinity of suricata threads. Each family of threads can be bound
>>>   # on specific CPUs.
>>>   cpu-affinity:
>>>     - management-cpu-set:
>>>         cpu: [ 10 ]  # include only these cpus in affinity settings
>>>     - receive-cpu-set:
>>>         cpu: [ 10 ]  # include only these cpus in affinity settings
>>>     - decode-cpu-set:
>>>         cpu: [ 10, 11 ]
>>>         mode: "balanced"
>>>     - stream-cpu-set:
>>>         cpu: [ "10-11" ]
>>>     - detect-cpu-set:
>>>         cpu: [ "13-15" ]
>>>         mode: "exclusive" # run detect threads in these cpus
>>>         # Use explicitely 3 threads and don't compute number by using
>>>         # detect-thread-ratio variable:
>>>         threads: 3
>>>         prio:
>>>           low: [ 10 ]
>>>           medium: [ "11-12" ]
>>>           high: [ 13 ]
>>>           default: "medium"
>>>     - verdict-cpu-set:
>>>         cpu: [ 10 ]
>>>         prio:
>>>           default: "high"
>>>     - reject-cpu-set:
>>>         cpu: [ 10 ]
>>>         prio:
>>>           default: "low"
>>>     - output-cpu-set:
>>>         cpu: [ "all" ]
>>>         prio:
>>>            default: "medium"
>>>
>>>
>>>
>>>
>>> I also uncommented the “threads: 3” under -detect-cpu-set
>>>
>>>
>>> It is cpu13 that is running at 100%
>>>
>>>
>>
>>
>> How do you start Suricata?
>> What does your pf-ring section in suricata.yaml look like?
>>
>> thanks
>>
>> --
>> Regards,
>> Peter Manev
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list