[Oisf-users] Suricata config for max udp-througoutput
oleg gv
oagvozd at gmail.com
Thu Jun 23 11:42:39 UTC 2016
I decreased ring slots to 32 and rx and TX became the same...15gbps on
pfring. But when I stopped suricata it shows strange things in log dropped
packets are in times more then total (1300%)
23 июня 2016 г. 12:35 пользователь "oleg gv" <oagvozd at gmail.com> написал:
> Hello, i'm testing Suricata on machine with 32 CPU and 32Gb RAM.
>
> I need to maximize Suricata performance on IXIA for UDP-traffic of
> fixed-length packets.
>
> I need to test 2 modes: PF_RING and AF_PACKET.
>
>
> What configs do you suggest for both of them.
>
> My setup for PF_RING and almost identical for AF_PACKET:
>
> 1) using 2 eth-interfaces (eth0-eth1) with copy-mode IPS
> 2) threads 32
> 3) diffeerent cluster-id for each of 2 ifaces
> 4) runmode auto or workers
> 5) ring_slots 100k
> 6)max pending packets - 512
> 7)detect-thread-ratio - 1.0
> 8)cluster_type : flow
> 8)all 17k rules is turned on
> 9)Icreased memcaps and other memory related options for
> detect,fragmentation and stream subsystems of Suricata.
> 10)As result Suricata consumes about 15Gb RAM when run
>
> PROBLEM: IXIA Tx Tput is MORE then Rx TPut : for example -
>
> IXIA transsmit (TX) to Suricata eth0 on speed 10Gbps (from total
> theoretical 20Gbps) and
> IXIA receive (RX) from Suricata eth1 on speed 15Gbps (from total
> teoretical 20Gbps)
> Without Suricata : RX=TX=~19Gpbs.
>
> I've tried to increase ip wmem/ip rmem values in proc to (4Mb 16Mb 64Mb)
> but problem still remains.
>
> I think this is because of drops. What do I need to do to decrease drops
> and make RX~=TX.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160623/a87c6628/attachment-0002.html>
More information about the Oisf-users
mailing list