[Oisf-users] dev-detect-grouping-v174, only 2 cores being used?
Michał Purzyński
michalpurzynski1 at gmail.com
Tue Mar 1 11:36:38 UTC 2016
Just a thought - do you have something like smokeping in your network?
A CPU or two pegged while everything else is almost idle, with a high drop count could be either an elephant flow or this:
https://github.com/inliniac/suricata/commit/0a22ba7e23deef9ab432d048828169f663dd247b
Elephant flow means something like a data copy between a pair of hosts, over a single pair of ports, at a high speed. It would land on a single CPU, saturating it.
Also, which kernel version do you use?
> On 01 Mar 2016, at 07:47, Peter Manev <petermanev at gmail.com> wrote:
>
> On Mon, Feb 29, 2016 at 10:37 PM, Barkley, Joey
> <Joey.Barkley at ingramcontent.com> wrote:
>> All,
>>
>>
>> I've done some tweaking to my test instance but can't seem to get it running
>> properly. Here is what I did:
>>
>>
>> 1) Took the dev-detect-grouping-v174 branch and merged master (as of this
>> morning, 2016-02-29) into it.
>
> I would suggest do it step by step - in order to avoid excessive
> troubleshooting if needed.
> So start with just the dev-detect-grouping-v174 branch - but if you
> start with that I would recommend the latest branch -
> dev-detect-grouping-v178 branch -
> https://github.com/inliniac/suricata/tree/dev-detect-grouping-v178
>
>
>>
>> 2) Built Suricata and used my normal config file, but made the required
>> changes in the "detect" section.
>
> What changes are those exactly? Can you share that section of the suricata.yaml?
>
>>
>> a. I tried the default (profile medium, toclient 3, toserver 25) but
>> then also changed to 30 and 250 just to test. Same results with both.
>>
>
> How many rules do you load?(or are you trying with no rules as a test)
>
>> 3) I have 8 threads set, and I have management cpu set to 0,2 and detect cpu
>> set to 4-14 (even number cores).
>>
>> 4) management cpu set is exclusive and high, so is detect cpu set
>>
>>
>> Suricata starts up very quickly (few seconds) and consumes very little RAM.
>> However, I get cpu 0 with a very small use %, and cpu's 4 & 14 pegged at
>> 100%. kernel_drops are extremely high (compared to my working config).
>>
>
> This is - cpu's 4 and 14 are only pegged - not 4 through 14 (even
> numbers only), is that correct?
>
>>
>> I know I've got a lot of variables in this setup, but does anyone see
>> anything obviously wrong with how I've set things up? Should I stop
>> separating out the management CPU set and just run them on the CPUs that the
>> detect threads run on?
>>
>>
>> Thanks,
>>
>> Joey Barkley
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160301/7ef714c4/attachment-0002.html>
More information about the Oisf-users
mailing list