[Oisf-users] af-packet and Linux Kernel version

Peter Manev petermanev at gmail.com
Fri Nov 18 15:16:32 UTC 2016 

On Fri, Nov 18, 2016 at 3:53 PM, Jim Hranicky <jfh at ufl.edu> wrote:
> I'm now testing out afpacket with 1 suri vs pfring/zbalance_ipc/31
> suris, and I'm seeing a huge difference. Both of my sensors
> are getting identical feeds.
>
> Here are some sample sigs/counts (last 6 hours):
>
>   Sig                                                                                   AFP     PFR
>   -------------------------------------------------------------------------------     -----  ------
>   ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set             199    1090
>   ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set      3606   22405
>   ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set             3684   23127
>   ET INFO Session Traversal Utilities for NAT (STUN Binding Response)                 15016   44789
>   ET INFO Session Traversal Utilities for NAT (STUN Binding Request)                  15354   46498
>   ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03     34531  765946
>
> It seems that af-packet is experiencing much more packet loss
> in my setup.
>
> I don't know if I've misconfigured something somewhere, but
> I currently don't see a compelling reason to move from pfring.

Feel free to share(privately if you would like ) your config/set
up/stats so i (we) can have a look of the AFP set up you have.


>
> Jim
>
> On 11/15/2016 02:54 PM, Michał Purzyński wrote:
>> Pfring is fake fast but guaranteed packet reordering and missed
>> events too. Nice for benchmarks but not for a real world.
>>
>>> On 15 Nov 2016, at 20:47, Jim Hranicky <jfh at ufl.edu> wrote:
>>>
>>> FWIW, I've gotten good results with pfring/zbalance ipc with 31
>>> queues for suri and 31 separate suri procs using zc:99 at 0-zc:99 at 31
>>> (and 1 for tcpdump and the like). It seems to be outperforming
>>> snort in a simliar setup, with the exception of some rules
>>> (IP-only rules, oddly).
>>>
>>> ixgbe limits us to 16 queues/cores, unfortunately, and according
>>> to the pfring list, zbalance_ipc is limited to 32 queues or
>>> I'd go higher (36 core machine/72 with HT).
>>>
>>> We're looking at going with the fm10k cards with 10g SFPs in
>>> the near future. It looks like they can handle RSS values of
>>> up to 128.
>>>
>>> Are folks seeing better performance with af-packet vs. pfring?
>>>
>>> $0.02, feedback welcome.
>>>
>>> --
>>> Jim Hranicky
>>> Data Security Specialist
>>> UF Information Technology
>>> 105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826
>>> 352-273-1341
>>>
>>>
>>>> On 11/15/2016 02:01 PM, Michał Purzyński wrote:
>>>> The new afpacket from 4.4 will use card hash if rxhash variable is enabled.
>>>>
>>>> Disable it with ethtool and verify with ethtool -k
>>>>
>>>>> On 15 Nov 2016, at 19:52, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>>>>>
>>>>> Hi Eric and Peter!
>>>>>
>>>>> Great meeting everyone @Suricon, I had an awesome time.
>>>>>
>>>>> I've been reviewing our build here and can confirm we are still seeing
>>>>> the ixgbe asymmetric hashing issue even on a very recent kernel/driver
>>>>> (4.8.7).  I think what happened was that when I was doing my testing
>>>>> with the newer kernels I was only monitoring a single host, so the
>>>>> timing issues with asymmetric hashing on the NIC itself did not cause an
>>>>> issue.  Under load it's still a problem, however.
>>>>>
>>>>> I've tried using a single RSS queue tied to one core as mentioned in
>>>>> your link, however on our system (2.8 Ghz Xeon) the core is pegged at
>>>>> 100% and we are seeing over 50% packet drops.  Is there a published
>>>>> tuning guide, including kernel and NIC/ethtool settings, for this
>>>>> configuration?
>>>>>
>>>>> -Coop
>>>>>
>>>>>> On 11/14/2016 3:24 PM, Eric Leblond wrote:
>>>>>> I meant
>>>>>>
>>>>>> http://suricata.readthedocs.io/en/latest/performance/packet-capture.html
>>>>>>
>>>>>> Sorry to have pointed to old doc.
>>>>>>
>>>>>> BR,
>>>>>> -- Eric Leblond <eric at regit.org>
>>>>>> _______________________________________________ Suricata IDS Users
>>>>>> mailing list: oisf-users at openinfosecfoundation.org Site:
>>>>>> http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>>>> List:
>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>>>
>>>>>
>>>>> --
>>>>> Cooper Nelson
>>>>> Network Security Analyst
>>>>> UCSD ITS Security Team
>>>>> cnelson at ucsd.edu x41042
>>>>>
>>>>> _______________________________________________
>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list