[Oisf-users] Suricata config for max udp-througoutput

Peter Manev petermanev at gmail.com
Thu Jul 7 09:13:24 UTC 2016 

On Thu, Jun 23, 2016 at 1:42 PM, oleg gv <oagvozd at gmail.com> wrote:
> I decreased ring slots to 32 and rx and TX became the same...15gbps on
> pfring. But when I stopped suricata it shows strange things in log dropped
> packets are in times more then total (1300%)
>
> 23 июня 2016 г. 12:35 пользователь "oleg gv" <oagvozd at gmail.com> написал:
>
>> Hello, i'm testing Suricata on machine with 32 CPU and 32Gb RAM.
>>
>> I need to maximize Suricata performance on IXIA for UDP-traffic of
>> fixed-length packets.

What is the fixed length ?
Which Suricata version is it that you are using and on what OS?

>>
>> I need to test 2 modes: PF_RING and AF_PACKET.
>>
>>
>> What configs do you suggest for both of them.
>>
>> My setup for PF_RING and almost identical for AF_PACKET:
>>
>> 1) using 2 eth-interfaces (eth0-eth1) with copy-mode IPS
>> 2) threads 32
>> 3) diffeerent cluster-id for each of 2 ifaces
>> 4) runmode auto or workers

On commodity HW workers is your best option most likely

>> 5) ring_slots 100k
>> 6)max pending packets - 512

try increasing those to 65534

>> 7)detect-thread-ratio - 1.0
>> 8)cluster_type : flow
>> 8)all 17k rules is  turned on
>> 9)Icreased memcaps and other memory related options for
>> detect,fragmentation and stream subsystems of Suricata.

what are those increased to?

>> 10)As result Suricata consumes about 15Gb RAM when run
>>
>> PROBLEM: IXIA Tx Tput is MORE then Rx TPut : for example -
>>
>> IXIA transsmit (TX)  to Suricata eth0 on  speed 10Gbps (from total
>> theoretical 20Gbps) and
>> IXIA receive (RX) from Suricata eth1 on speed 15Gbps (from total
>> teoretical 20Gbps)
>> Without Suricata : RX=TX=~19Gpbs.
>>

What is the CPU usage?

A bit more info about the IXIA can be useful.

>> I've tried to increase ip wmem/ip rmem values in proc to (4Mb 16Mb 64Mb)
>> but problem still remains.
>>
>> I think this is because of drops. What do I need to do to decrease drops
>> and make RX~=TX.
>>
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list