[Oisf-users] af-packet and Linux Kernel version

Jim Hranicky jfh at ufl.edu
Fri Nov 18 14:53:07 UTC 2016 

I'm now testing out afpacket with 1 suri vs pfring/zbalance_ipc/31
suris, and I'm seeing a huge difference. Both of my sensors
are getting identical feeds. 

Here are some sample sigs/counts (last 6 hours): 

  Sig                                                                                   AFP     PFR
  -------------------------------------------------------------------------------     -----  ------
  ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set             199    1090  
  ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set      3606   22405  
  ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set             3684   23127  
  ET INFO Session Traversal Utilities for NAT (STUN Binding Response)                 15016   44789  
  ET INFO Session Traversal Utilities for NAT (STUN Binding Request)                  15354   46498  
  ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03     34531  765946  

It seems that af-packet is experiencing much more packet loss
in my setup. 

I don't know if I've misconfigured something somewhere, but 
I currently don't see a compelling reason to move from pfring. 

Jim

On 11/15/2016 02:54 PM, Michał Purzyński wrote:
> Pfring is fake fast but guaranteed packet reordering and missed 
> events too. Nice for benchmarks but not for a real world.
> 
>> On 15 Nov 2016, at 20:47, Jim Hranicky <jfh at ufl.edu> wrote:
>>
>> FWIW, I've gotten good results with pfring/zbalance ipc with 31
>> queues for suri and 31 separate suri procs using zc:99 at 0-zc:99 at 31
>> (and 1 for tcpdump and the like). It seems to be outperforming
>> snort in a simliar setup, with the exception of some rules
>> (IP-only rules, oddly).
>>
>> ixgbe limits us to 16 queues/cores, unfortunately, and according
>> to the pfring list, zbalance_ipc is limited to 32 queues or
>> I'd go higher (36 core machine/72 with HT).
>>
>> We're looking at going with the fm10k cards with 10g SFPs in
>> the near future. It looks like they can handle RSS values of
>> up to 128.
>>
>> Are folks seeing better performance with af-packet vs. pfring?
>>
>> $0.02, feedback welcome.
>>
>> --
>> Jim Hranicky
>> Data Security Specialist
>> UF Information Technology
>> 105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826
>> 352-273-1341
>>
>>
>>> On 11/15/2016 02:01 PM, Michał Purzyński wrote:
>>> The new afpacket from 4.4 will use card hash if rxhash variable is enabled.
>>>
>>> Disable it with ethtool and verify with ethtool -k 
>>>
>>>> On 15 Nov 2016, at 19:52, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>>>>
>>>> Hi Eric and Peter!
>>>>
>>>> Great meeting everyone @Suricon, I had an awesome time.
>>>>
>>>> I've been reviewing our build here and can confirm we are still seeing
>>>> the ixgbe asymmetric hashing issue even on a very recent kernel/driver
>>>> (4.8.7).  I think what happened was that when I was doing my testing
>>>> with the newer kernels I was only monitoring a single host, so the
>>>> timing issues with asymmetric hashing on the NIC itself did not cause an
>>>> issue.  Under load it's still a problem, however.
>>>>
>>>> I've tried using a single RSS queue tied to one core as mentioned in
>>>> your link, however on our system (2.8 Ghz Xeon) the core is pegged at
>>>> 100% and we are seeing over 50% packet drops.  Is there a published
>>>> tuning guide, including kernel and NIC/ethtool settings, for this
>>>> configuration?
>>>>
>>>> -Coop
>>>>
>>>>> On 11/14/2016 3:24 PM, Eric Leblond wrote:
>>>>> I meant 
>>>>>
>>>>> http://suricata.readthedocs.io/en/latest/performance/packet-capture.html
>>>>>
>>>>> Sorry to have pointed to old doc.
>>>>>
>>>>> BR,
>>>>> -- Eric Leblond <eric at regit.org>
>>>>> _______________________________________________ Suricata IDS Users
>>>>> mailing list: oisf-users at openinfosecfoundation.org Site:
>>>>> http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>>> List:
>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>>
>>>>
>>>> -- 
>>>> Cooper Nelson
>>>> Network Security Analyst
>>>> UCSD ITS Security Team
>>>> cnelson at ucsd.edu x41042
>>>>
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>

More information about the Oisf-users mailing list