[Oisf-users] (no subject)
Cooper F. Nelson
cnelson at ucsd.edu
Thu Mar 27 17:57:07 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Actually, thinking about this, I wonder if you could just add more
cores/memory and then run multiple queues per core, up to the limit
defined with ethtool -F?
I tried it, while it technically works the load average went through the
roof on our current sensor. So it looks like AF_PACKET is designed to
be used with only one thread/core.
- -Coop
On 3/27/2014 10:32 AM, Cooper F. Nelson wrote:
>
> I'm pretty sure suricata could be redesigned to eliminate dropped
> packets by using some sort of queuing/backing store, but this would take
> a major architectural change (which I'm not sure is justified). I'm
> thinking something like allowing a single, massive (i.e. multi-gigabyte)
> AF_PACKET ringbuffer that then feeds the smaller worker queues.
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTNGZzAAoJEKIFRYQsa8FW7q8H+wYr6U7CEi3HuIbr3XNhtT4H
NJDEoaDoJkgzGg32FD3cBaWY4Z2OZfbt3duhkhxCsbLBI7kQgF8UZR4zV4OHScq+
RZ3R3aeXEp7fIVJw2KYZTmX6ztQyx04ofYbzDbrTXzqBmbSKnS5UHNmCoBwSJmzo
eT5P/U6NeulRPrJF/N0cqmOCBzDxXOYxyEDNzHcv9P70JoCBmeWD5FKDIfxLg3fN
nn0LqxC+K5abgQaqEfqduxbSHt6SyX9J/buZZaNiHAC0Kjx0cxFkvLeqBCjXk3kN
KSIUO+p6jBwr7kqb2URTTT22w4ibu9UMyVTEwWhCFTDQJYltGpDNzJ+Lr95I8DM=
=hKRS
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list