[Oisf-users] suricata 3.2.0 for 10Gb performance

Maxim hittlle at 163.com
Thu Jan 19 02:58:42 UTC 2017


Thanks all for you guidance. I've read this tutorial. Currently there are two approaches to suricata performance tuning. One is to use multiple queues, and bind each queue IRQ to a separate core; the other one, just like this tutorial shows is to use a single queue, but let Linux RFS(receive flow steering) to do what NIC RSS would do. I've no idea who is better. I prefer the multiple queue approach because I think hardware is better doing calculating than RFS because the latter is implemented in software, what do you think? In my case, I used 16 RX queues, and bind them to 16 cores separately, when I tried to simulate 10 gigabit traffic per second, all the 16 cores were fully occupied, but I still have another 8 cores idling. I wanna use RFS to distribute busy softirqs to the 8 idle cores, but it turns out there is no significant improvement. I turned on hyperthreading, and my CPU is 2.1 Ghz, my CPU sucks? Many thanks.








At 2017-01-19 02:20:29, "Francis Trudeau" <ftrudeau at emergingthreats.net> wrote:
>It looks like he replied to a different thread, sorry for the noise.
>
>ft
>
>
>
>
>
>On Wed, Jan 18, 2017 at 11:18 AM, Francis Trudeau
><ftrudeau at emergingthreats.net> wrote:
>> Peter Manev put this out recently.  Looks like exactly what you're looking for:
>>
>> https://github.com/pevma/SEPTun
>>
>> FT
>>
>>
>>
>>
>>
>> On Mon, Jan 16, 2017 at 1:25 AM, Maxim <hittlle at 163.com> wrote:
>>> Hi experts,
>>> Do you have any test performance data regarding suricata 3.2.0 with 10Gb
>>> feed traffic per second? How to configure it? Say I have 24 logical cores,
>>> and 12 physical cores, 32Gb memory and one Intel 82599ES NIC. Could you
>>> please point out how to set the threading and af-packet part of
>>> scuricata.yaml? Many thanks.
>>>
>>> Hittlle
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170119/e789380f/attachment-0002.html>


More information about the Oisf-users mailing list