[Oisf-users] Out of band 10Gb Suricata

Brian Hennigar bhennigar at gmail.com
Thu Oct 15 00:48:19 UTC 2015 

I think having 8 cores really is my issue. With no rules enabled, I'm still
getting drops with af-packet although it is better.

capture.kernel_drops      | AFPacketeth71             | 19611
capture.kernel_drops      | AFPacketeth72             | 23942
capture.kernel_drops      | AFPacketeth73             | 964
capture.kernel_drops      | AFPacketeth74             | 14720
capture.kernel_drops      | AFPacketeth75             | 0
capture.kernel_drops      | AFPacketeth76             | 0
capture.kernel_drops      | AFPacketeth77             | 0
capture.kernel_drops      | AFPacketeth78             | 19216


Thanks again for all of the help!  There's still much I need to learn about
tuning Suricata.

On Wed, Oct 14, 2015 at 8:23 PM, Brian Hennigar <bhennigar at gmail.com> wrote:

> I've looked into pf_ring.  vmxnet3 isn't supported by pf_ring and the
> E1000 interface choice by ESXi is only 1gb which wouldn't work for 10Gb.
> vmxnet3 supports 10gb.   Passing the interface directly through to the VM
> might be an option but not ideal.
>
> I'm just starting on configuring it to use workers and af-packet.
>
> Thanks,
> Brian
>
> On Wed, Oct 14, 2015 at 8:19 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I didn't notice that either.  All my deployments are bare metal, so I
>> don't know well that will work.  If the NICs support recieve-side
>> scaling everything should work well.
>>
>> - -Coop
>>
>> On 10/14/2015 2:38 PM, Chris Wakelin wrote:
>> > Also it seems you're using virtual NICs ("vmxnet3")?
>> >
>> > Depending on which interface type you use and whether it supports
>> > AFPacket, you might need something like PF_RING ZC
>> > (
>> http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/
>> ).
>> >
>> > Best Wishes,
>> > Chris
>>
>>
>> - --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu x41042
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iQEcBAEBAgAGBQJWHuLnAAoJEKIFRYQsa8FWrvsH+wRBuQfoKKRFamD2qLXzuVUX
>> JR9IeY22XRfoCrMGjD0h7Yic0fkt6DPLng/z4rmn0brgCjkSxYukdnhvHUyZzPTi
>> lkDdkEevXGcA1CDqw2+ZyQsqRao2GO6EfOJ7pvH1QIL4rG7Aa2Nl+PVL1La2hq8k
>> 8OEiTZr4/nGs7cUOGyFLooKgPh5lOeEjhRdkO0QueYK46IgWClRg/haIQEBT/YUK
>> QbedoaAViBbQti2sWYbNi0MIZtWoELNuJxG+79aKEQkWWUbztbej29guX+mafojA
>> el9JK1BuEnHz/VdIp+e1XCc39mur5qJMS47vwlVDD9IMFFfi2o69+ZdD5SiiiuQ=
>> =2PmI
>> -----END PGP SIGNATURE-----
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151014/729d892e/attachment-0002.html>

More information about the Oisf-users mailing list