[Oisf-users] suricata 3.2.0 for 10Gb performance

Cooper F. Nelson cnelson at ucsd.edu
Thu Jan 19 22:53:30 UTC 2017 

Hardware RSS has problems because often the flow load balancing is not
symmetric.  This causes problems with suricata as different cores handle
each side of the flow and creates timing issues.

I'm assuming you are using they ixgbe driver, if so you probably need to
patch it.

> http://marc.info/?l=linux-netdev&m=148181173415107&w=2

... and then set a special hash key to force symmetric flows.

I have a special experimental 3.2 build based around full hardware
RSS/offloading using the new AF_PACKET tpacket-v3 mode which is showing
some pretty spectacular performance improvements over the standard
build.  If you are interested I can work with you off list to get it
setup on your hardware, but I'll warn you there are lots of moving parts
to get everything working correctly.

Most important thing first is to make sure you are on a Linux
distribution with a relatively 'fresh' kernel.  I'm on 4.8.7 currently
and at least 4.7+ is recommend.  You also need to be able to install the
source for the kernel and then patch the ixgbe module, or download the
driver and then patch it.

-Coop

On 1/18/2017 6:58 PM, Maxim wrote:
> Thanks all for you guidance. I've read this tutorial. Currently there
> are two approaches to suricata performance tuning. One is to use
> multiple queues, and bind each queue IRQ to a separate core; the
> other one, just like this tutorial shows is to use a single queue,
> but let Linux RFS(receive flow steering) to do what NIC RSS would do.
> I've no idea who is better. I prefer the multiple queue approach
> because I think hardware is better doing calculating than RFS because
> the latter is implemented in software, what do you think? In my case,
> I used 16 RX queues, and bind them to 16 cores separately, when I
> tried to simulate 10 gigabit traffic per second, all the 16 cores
> were fully occupied, but I still have another 8 cores idling. I wanna
> use RFS to distribute busy softirqs to the 8 idle cores, but it turns
> out there is no significant improvement. I turned on hyperthreading,
> and my CPU is 2.1 Ghz, my CPU sucks? Many thanks.
> 


-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170119/a4fe9ca8/attachment-0002.sig>

More information about the Oisf-users mailing list