[Oisf-users] suricata with PF_RING Zero Copy/Pinned CPUs

[Jim Hranicky]

I'm able to run and get good results with using multiple threads
on a pf-enabled interface when not running in ZC mode. I'm a little
stumped though as to how to configure zbalance_ipc/suricata to use
multiple threads using ZC. 

When run 1 queue for suri

  ./zbalance_ipc -i zc:enp4s0 -m 4 -n 1,1 -c 99 -g 0 -S 1

then specify the interface like so

  - interface: zc:99 at 0
    threads: 22

and run this command 

  /opt/suricata/bin/suricata -i zc:99 at 0 -c /opt/suricata/etc/suricata/suricata.yaml --pfring -vv

I get this: 

  10/8/2016 -- 13:00:01 - <Perf> - (RX#01) Using PF_RING v.6.5.0, 
  interface zc:99 at 0, cluster-id 1
  
  10/8/2016 -- 13:00:01 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - 
  Failed to open zc:99 at 0: pfring_open error. Check if zc:99 at 0 exists and pf_ring module is loaded.
  
  10/8/2016 -- 13:00:01 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - 
  Failed to open zc:99 at 0: pfring_open error. Check if zc:99 at 0 exists and pf_ring module is loaded.
  
  10/8/2016 -- 13:00:01 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - 
  Failed to open zc:99 at 0: pfring_open error. Check if zc:99 at 0 exists and pf_ring module is loaded.

Should I run zbalance_ipc with multiple queues? How do I specify the interfaces on 
the CL and the config file? FWIW I seem to get about 40% more events per second
when running with multiple threads over running with 1 ZC queue. 

Thanks,

--
Jim Hranicky
Data Security Specialist
UF Information Technology
105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826
352-273-1341