[Oisf-users] af-packet and Linux Kernel version
Michał Purzyński
michalpurzynski1 at gmail.com
Tue Nov 15 19:54:26 UTC 2016
Pfring is fake fast but guaranteed packet reordering and missed events too. Nice for benchmarks but not for a real world.
> On 15 Nov 2016, at 20:47, Jim Hranicky <jfh at ufl.edu> wrote:
>
> FWIW, I've gotten good results with pfring/zbalance ipc with 31
> queues for suri and 31 separate suri procs using zc:99 at 0-zc:99 at 31
> (and 1 for tcpdump and the like). It seems to be outperforming
> snort in a simliar setup, with the exception of some rules
> (IP-only rules, oddly).
>
> ixgbe limits us to 16 queues/cores, unfortunately, and according
> to the pfring list, zbalance_ipc is limited to 32 queues or
> I'd go higher (36 core machine/72 with HT).
>
> We're looking at going with the fm10k cards with 10g SFPs in
> the near future. It looks like they can handle RSS values of
> up to 128.
>
> Are folks seeing better performance with af-packet vs. pfring?
>
> $0.02, feedback welcome.
>
> --
> Jim Hranicky
> Data Security Specialist
> UF Information Technology
> 105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826
> 352-273-1341
>
>
>> On 11/15/2016 02:01 PM, Michał Purzyński wrote:
>> The new afpacket from 4.4 will use card hash if rxhash variable is enabled.
>>
>> Disable it with ethtool and verify with ethtool -k
>>
>>> On 15 Nov 2016, at 19:52, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>>>
>>> Hi Eric and Peter!
>>>
>>> Great meeting everyone @Suricon, I had an awesome time.
>>>
>>> I've been reviewing our build here and can confirm we are still seeing
>>> the ixgbe asymmetric hashing issue even on a very recent kernel/driver
>>> (4.8.7). I think what happened was that when I was doing my testing
>>> with the newer kernels I was only monitoring a single host, so the
>>> timing issues with asymmetric hashing on the NIC itself did not cause an
>>> issue. Under load it's still a problem, however.
>>>
>>> I've tried using a single RSS queue tied to one core as mentioned in
>>> your link, however on our system (2.8 Ghz Xeon) the core is pegged at
>>> 100% and we are seeing over 50% packet drops. Is there a published
>>> tuning guide, including kernel and NIC/ethtool settings, for this
>>> configuration?
>>>
>>> -Coop
>>>
>>>> On 11/14/2016 3:24 PM, Eric Leblond wrote:
>>>> I meant
>>>>
>>>> http://suricata.readthedocs.io/en/latest/performance/packet-capture.html
>>>>
>>>> Sorry to have pointed to old doc.
>>>>
>>>> BR,
>>>> -- Eric Leblond <eric at regit.org>
>>>> _______________________________________________ Suricata IDS Users
>>>> mailing list: oisf-users at openinfosecfoundation.org Site:
>>>> http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>
>>>
>>> --
>>> Cooper Nelson
>>> Network Security Analyst
>>> UCSD ITS Security Team
>>> cnelson at ucsd.edu x41042
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>
More information about the Oisf-users
mailing list