[Oisf-users] dev-detect-grouping-v174, only 2 cores being used?

Barkley, Joey Joey.Barkley at ingramcontent.com
Tue Mar 1 15:31:28 UTC 2016


3.10 kernel. We are in process of moving to 4.x but not yet.

I don't think this is the problem because it works without the new configs. I was just hoping to get the speed up improvements as it normally takes a long time (5+ mins) to start up.

Sent from Outlook Mobile<https://aka.ms/qtex0l>




On Tue, Mar 1, 2016 at 3:36 AM -0800, "Michał Purzyński" <michalpurzynski1 at gmail.com<mailto:michalpurzynski1 at gmail.com>> wrote:

Just a thought - do you have something like smokeping in your network?

A CPU or two pegged while everything else is almost idle, with a high drop count could be either an elephant flow or this:

https://github.com/inliniac/suricata/commit/0a22ba7e23deef9ab432d048828169f663dd247b

Elephant flow means something like a data copy between a pair of hosts, over a single pair of ports, at a high speed. It would land on a single CPU, saturating it.

Also, which kernel version do you use?

On 01 Mar 2016, at 07:47, Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>> wrote:

On Mon, Feb 29, 2016 at 10:37 PM, Barkley, Joey
<Joey.Barkley at ingramcontent.com<mailto:Joey.Barkley at ingramcontent.com>> wrote:
All,


I've done some tweaking to my test instance but can't seem to get it running
properly. Here is what I did:


1) Took the dev-detect-grouping-v174 branch and merged master (as of this
morning, 2016-02-29) into it.

I would suggest do it step by step - in order to avoid excessive
troubleshooting if needed.
So start with just the dev-detect-grouping-v174 branch - but if you
start with that I would recommend the latest branch -
dev-detect-grouping-v178 branch -
https://github.com/inliniac/suricata/tree/dev-detect-grouping-v178



2) Built Suricata and used my normal config file, but made the required
changes in the "detect" section.

What changes are those exactly? Can you share that section of the suricata.yaml?


   a. I tried the default (profile medium, toclient 3, toserver 25) but
then also changed to 30 and 250 just to test. Same results with both.


How many rules do you load?(or are you trying with no rules as a test)

3) I have 8 threads set, and I have management cpu set to 0,2 and detect cpu
set to 4-14 (even number cores).

4) management cpu set is exclusive and high, so is detect cpu set


Suricata starts up very quickly (few seconds) and consumes very little RAM.
However, I get cpu 0 with a very small use %, and cpu's 4 & 14 pegged at
100%. kernel_drops are extremely high (compared to my working config).


This is - cpu's 4 and 14 are only pegged - not 4 through 14 (even
numbers only), is that correct?


I know I've got a lot of variables in this setup, but does anyone see
anything obviously wrong with how I've set things up? Should I stop
separating out the management CPU set and just run them on the CPUs that the
detect threads run on?


Thanks,

Joey Barkley


_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC:
http://oisfevents.net



--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160301/eecb5aa7/attachment-0002.html>


More information about the Oisf-users mailing list