[Oisf-users] [Discussion] Suricata Performance Tuning (kernel_drops very high)
Cooper F. Nelson
cnelson at ucsd.edu
Tue Jan 13 20:15:16 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I use workers mode with AF_PACKET, based on this guide:
> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
Be sure to disable all off-loading features on your 10G nic (this is
absolutely critical). Also, make sure you have the freshest kernel
available.
This is my af-packet config:
> af-packet:
> - interface: eth2
> threads: 16
> cluster-id: 99
> cluster-type: cluster_flow
> defrag: yes
> use-mmap: yes
> ring-size: 500000
> use-emergency-flush: yes
> buffer-size: 1048576
> checksum-checks: kernel
>
You should be using 32 threads, one per CPU as per this configuration:
> threading:
> set-cpu-affinity: yes
> cpu-affinity:
> - management-cpu-set:
> cpu: [ 0-31 ] # include only these cpus in affinity settings
> mode: "balanced"
> prio:
> default: "low"
> - detect-cpu-set:
> cpu: [ 0-31 ]
> mode: "exclusive" # run detect threads in these cpus
> prio:
> default: "high"
> detect-thread-ratio: 1
Kernel packet drops for us are under %1. I also have an aggressive bpf
filter I can share with you off-list if you are interested in further
improving your performance.
- -Coop
On 1/13/2015 12:01 PM, Barkley, Joey wrote:
> Ok. Thanks for the suggestions. I had taken it out of workers mode as
> I read that was for pf_ring and I'm using af_packet. I'll try these
> suggestions and report back.
>
> I am on centos 6. Not positive of exact kernel version (not at my
> desk to check) but it would be whatever was available via public yum
> repos about a month ago. Just took over this project and am learning
> as I go.
>
> It is possible there are capture problems on that port. I'll check
> with our network engineers and see what they say about the
> configuration.
>
> Thanks,
>
> Joey
>
>> On Jan 13, 2015, at 12:14 PM, Cooper F. Nelson <cnelson at ucsd.edu>
>> wrote:
>>
> +1 for using the 'workers' runmode and using bpf filters to sample
> traffic.
>
> Also, run it without any rules or logging enabled until you figure
> out where your performance issues are.
>
> -Coop
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUtXzUAAoJEKIFRYQsa8FWHpMIAIEMPICXzhARD8WT4m7X0lBH
mBxhCkwsXNADPU97TXMG687agrvCTTBzF/OeOGnKhm7/kHI40YL3Ut022OWTNvbj
bQGOHojZ9SUEg8kSmljGkDAovYhi4VsF2rV8RBiie50CSxwTxH2D3n4rFt12biTT
X3KjIAS353Px4ewPmc8PH0Mt4dhszOqjE0cCAOyPJMH/imyYset+phgoEQddNm0r
muqwc+b9r3JceQoRj6RCLzbfZZYC9L/eWNipwNlwTJZxihvZNjwUgBBOXiFcWfpI
ViC5zdXgCvIQh1xiMqgKpbeiOhIKrJ+iEhJn1IV8Gzyxk6bzr2j0aZBqT8iIC+Y=
=ozy/
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list