[Oisf-users] [Discussion] Suricata Performance Tuning (kernel_drops very high)

Cooper F. Nelson cnelson at ucsd.edu
Tue Jan 13 20:15:16 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I use workers mode with AF_PACKET, based on this guide:

> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/

Be sure to disable all off-loading features on your 10G nic (this is
absolutely critical).  Also, make sure you have the freshest kernel
available.

This is my af-packet config:

> af-packet:
>   - interface: eth2
>     threads: 16
>     cluster-id: 99
>     cluster-type: cluster_flow
>     defrag: yes
>     use-mmap: yes
>     ring-size: 500000
>     use-emergency-flush: yes
>     buffer-size: 1048576
>     checksum-checks: kernel
> 

You should be using 32 threads, one per CPU as per this configuration:

> threading:
>   set-cpu-affinity: yes
>   cpu-affinity:
>     - management-cpu-set:
>         cpu: [ 0-31 ]  # include only these cpus in affinity settings
>         mode: "balanced"
>         prio:
>           default: "low"
>     - detect-cpu-set:
>         cpu: [ 0-31 ]
>         mode: "exclusive" # run detect threads in these cpus
>         prio:
>           default: "high"
>   detect-thread-ratio: 1

Kernel packet drops for us are under %1.  I also have an aggressive bpf
filter I can share with you off-list if you are interested in further
improving your performance.

- -Coop

On 1/13/2015 12:01 PM, Barkley, Joey wrote:
> Ok. Thanks for the suggestions. I had taken it out of workers mode as
> I read that was for pf_ring and I'm using af_packet. I'll try these
> suggestions and report back.
> 
> I am on centos 6. Not positive of exact kernel version (not at my
> desk to check) but it would be whatever was available via public yum
> repos about a month ago. Just took over this project and am learning
> as I go.
> 
> It is possible there are capture problems on that port. I'll check
> with our network engineers and see what they say about the
> configuration.
> 
> Thanks,
> 
> Joey
> 
>> On Jan 13, 2015, at 12:14 PM, Cooper F. Nelson <cnelson at ucsd.edu>
>> wrote:
>> 
> +1 for using the 'workers' runmode and using bpf filters to sample
> traffic.
> 
> Also, run it without any rules or logging enabled until you figure
> out where your performance issues are.
> 
> -Coop
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUtXzUAAoJEKIFRYQsa8FWHpMIAIEMPICXzhARD8WT4m7X0lBH
mBxhCkwsXNADPU97TXMG687agrvCTTBzF/OeOGnKhm7/kHI40YL3Ut022OWTNvbj
bQGOHojZ9SUEg8kSmljGkDAovYhi4VsF2rV8RBiie50CSxwTxH2D3n4rFt12biTT
X3KjIAS353Px4ewPmc8PH0Mt4dhszOqjE0cCAOyPJMH/imyYset+phgoEQddNm0r
muqwc+b9r3JceQoRj6RCLzbfZZYC9L/eWNipwNlwTJZxihvZNjwUgBBOXiFcWfpI
ViC5zdXgCvIQh1xiMqgKpbeiOhIKrJ+iEhJn1IV8Gzyxk6bzr2j0aZBqT8iIC+Y=
=ozy/
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list