[Oisf-users] af_packet and rss queue count
Peter Manev
petermanev at gmail.com
Sat Dec 24 17:51:41 UTC 2016
> On 24 Dec 2016, at 18:22, erik clark <philosnef at gmail.com> wrote:
>
> I have seen several places commenting that you should set the RSS queue to 1. However, when examining af_packet with Bro, a patch released from Redhat for the ixgbe kernel module, and some ethtool tweaking, we have found that (for Bro at least) running a full 63 (we have 54 cores) RSS queues vastly improves performance, and keeps state intact across sessions.
>
> Based on this update, which fixes the broken implementation of setting a symmetric hash in the hardware of the card
Can you please share a bit in a bit more detail-
Which ixgbe/kernel version that is ?
Which patch is it ?
What is the ethtool tweaking procedure?
Thanks
> (again ixgbe, not tested with i40e), is it still necessary to run one queue? If so, you can't run Bro and Suri on the same box with af_packet and get equivalent performance out of both tools. Having run Suri with 63 queues for a week now, it seems performance is considerably better than with pf_ring, and I can not find any unusual behavior in my alerts...
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list