[Oisf-users] Tuning Suricata with Myricom Sniffer10g Hardware

Rasmor, Zachary R zachary.r.rasmor at lmco.com
Thu Apr 2 15:39:13 UTC 2015



I know some folks in the community have successfully integrated and tuned
Suricata for use with Myricom's Sniffer10g hardware. We are in the process
of testing Suricata 2.1-Beta with Sniffer10g hardware and have come across
at least a few questions regarding the integration of the two. 


While I have seen some of the older OISF threads where users have cited a
configuration that is working well for them, I would personally rather
understand the interdependency between SNF parameters and suricata.yaml
parameters, and how they affect the runtime behavior of Suricata. This
understanding will allow us to intelligently tune rather than blindly guess.
We posed these questions with Myricom support and the response was to
contact the OISF mailing list.  Considering that others may have had similar
questions, we're hoping a discussion thread can help to shed some additional
guidance relating to tuning Suricata with Myricom capture cards.


In particular, I was wondering if anyone had any insight into Suricata's
memory usage with regards to DATARING_SIZE, as you can see here from the
output of 'top', the Suricata memory increases *rapidly* with respect to the

**The yaml file was constant throughout all 3 tests - only the SNF ring
parameters changed**


(DATARING_SIZE = 256MB (default), DESCRING_SIZE=64MB (default) - 8

61300 user  20   0 15.4g  13g 5.0g S 221.7  5.2  36:43.21 Suricata-Main 


(DATARING_SIZE = 4GB, DESCRING_SIZE=1GB - 8 rings/threads)

28208 user  20   0 90.4g  88g  80g S 281.3 35.1   8:07.91 Suricata-Main


(DATARING_SIZE = 8GB, DESCRING_SIZE=2GB - 8 rings/threads)

55652 user  20   0  170g 168g 160g S 226.8 66.9  30:39.41 Suricata-Main 


In addition, since Suricata is leveraging SNF through libpcap, I am
wondering if it is known how the pcap.buffer-size parameter that is defined
in the suricata.yaml relates to the DATARING_SIZE/DESCRING_SIZE parameters?



  - interface: eth4

    # On Linux, pcap will try to use mmaped capture and will use buffer-size

    # as total of memory used by the ring. So set this to something bigger

    # than 1% of your bandwidth.

    buffer-size: 16777216


I appreciate any guidance the community can provide on these items, in
addition to any other tuning considerations when using Suricata with
Sniffer10g hardware.






Zach Rasmor

Senior Software Engineer

Lockheed Martin CIRT

700 N Frederick Ave | Gaithersburg, MD 20879

Email:  <mailto:zachary.r.rasmor at lmco.com> zachary.r.rasmor at lmco.com

Office: 301.240.6116


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150402/1b79df50/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 11767 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150402/1b79df50/attachment-0001.bin>

More information about the Oisf-users mailing list