[Oisf-users] (no subject)

X.qing xqing.summer at gmail.com
Sun Jun 8 07:56:58 UTC 2014 

It is really a great surprise for me to hear from you, first of all, thank
you very much!

i have changed cluster_cpu to cluster_flow as you command, and it works.
however, it seems that only add threads does not help much in my system.
 After 1 hour's test, i still get about 50% drops .
The basic configuration is followed by your a series of 4 articles about
Suricata IDPS(
http://pevma.blogspot.se/2013/12/suricata-and-grand-slam-of-open-source.html)
and followed the case 4 in (
http://pevma.blogspot.se/2014/05/playing-with-memory-consumption.html).

These are the basic imformation about my system:
Suricata version 2.0.1 with AF_PACKET, 22 threads
CPU: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz
Kenel: Linux version 3.11.0-15-generic
OS: Ubuntu 12.04.4
RAM: 125G
72 rules loaded for test.
Traffic size: 2-4Gps

If it doesn't bother you too much, i have uploaded my configuration file in
the attachment for you to check, i am eager to receive more suggestion from
you.

Thanks again.
Best wishes.
>
>
>
>
> 2014-06-05 15:27 GMT+08:00 Peter Manev <petermanev at gmail.com>:
>
>> The Reason the extra threads are not used is because you hvae set up
>> the NIC affinity and it has only 16 irq-affinity threads.
>>
>> You can change the af-packet section form cluster_cpu to cluster_flow
>> and they will be used, though i am not sure how it will affect
>> performance in your case.
>>
>>
>> The fact that you set up the yaml config just as it is on the blog
>> does not guarantee you 0% drops.
>>
>> It depends on how much traffic do you inspect, how many rules do you
>> load, what type oof traffic it is, ...
>>
>> Which blogpost did you follow in particular?
>> What is the OS/kernel you are using?
>> What amount of traffic do you inspect?
>> How many rules do you load?
>>
>> thanks
>>
>>
>>
>>
>>
>> On Thu, Jun 5, 2014 at 6:21 AM, Blogger Contact Form
>> <no-reply at blogger.com> wrote:
>> > i've configured the suricata.yaml as you suggested above, but i still
>> > get
>> > about 60% drops. do u have any other suggestions?
>> > i  intend to add the threads to improve the performance, so i only
>> > change
>> > the 'threads' in 'af-packet' to 22(the default is 16), but when i check
>> > in
>> > stats.log, the 17-22 packet is not used. do i missed to change any
other
>> > parameter to change?
>> > thanx :)
>> >
>> > Regards,
>> > Tomato- | xqing.summer at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140608/7260d3df/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata-afpacket.yaml
Type: application/octet-stream
Size: 49564 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140608/7260d3df/attachment-0001.obj>

More information about the Oisf-users mailing list