[Oisf-users] af-packet and Linux Kernel version

Jim Hranicky jfh at ufl.edu
Tue Nov 15 19:47:37 UTC 2016


FWIW, I've gotten good results with pfring/zbalance ipc with 31
queues for suri and 31 separate suri procs using zc:99 at 0-zc:99 at 31
(and 1 for tcpdump and the like). It seems to be outperforming
snort in a simliar setup, with the exception of some rules
(IP-only rules, oddly).

ixgbe limits us to 16 queues/cores, unfortunately, and according
to the pfring list, zbalance_ipc is limited to 32 queues or
I'd go higher (36 core machine/72 with HT).

We're looking at going with the fm10k cards with 10g SFPs in
the near future. It looks like they can handle RSS values of
up to 128.

Are folks seeing better performance with af-packet vs. pfring?

$0.02, feedback welcome.

--
Jim Hranicky
Data Security Specialist
UF Information Technology
105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826
352-273-1341


On 11/15/2016 02:01 PM, Michał Purzyński wrote:
> The new afpacket from 4.4 will use card hash if rxhash variable is enabled.
> 
> Disable it with ethtool and verify with ethtool -k 
> 
>> On 15 Nov 2016, at 19:52, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>>
>> Hi Eric and Peter!
>>
>> Great meeting everyone @Suricon, I had an awesome time.
>>
>> I've been reviewing our build here and can confirm we are still seeing
>> the ixgbe asymmetric hashing issue even on a very recent kernel/driver
>> (4.8.7).  I think what happened was that when I was doing my testing
>> with the newer kernels I was only monitoring a single host, so the
>> timing issues with asymmetric hashing on the NIC itself did not cause an
>> issue.  Under load it's still a problem, however.
>>
>> I've tried using a single RSS queue tied to one core as mentioned in
>> your link, however on our system (2.8 Ghz Xeon) the core is pegged at
>> 100% and we are seeing over 50% packet drops.  Is there a published
>> tuning guide, including kernel and NIC/ethtool settings, for this
>> configuration?
>>
>> -Coop
>>
>>> On 11/14/2016 3:24 PM, Eric Leblond wrote:
>>> I meant 
>>>
>>> http://suricata.readthedocs.io/en/latest/performance/packet-capture.html
>>>
>>> Sorry to have pointed to old doc.
>>>
>>> BR,
>>> -- Eric Leblond <eric at regit.org>
>>> _______________________________________________ Suricata IDS Users
>>> mailing list: oisf-users at openinfosecfoundation.org Site:
>>> http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>
>>
>> -- 
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ITS Security Team
>> cnelson at ucsd.edu x41042
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> 



More information about the Oisf-users mailing list