[Oisf-users] suricata 3.2.0 for 10Gb performance

Cooper F. Nelson cnelson at ucsd.edu
Fri Jan 20 21:16:37 UTC 2017


Unless you are using a packet size of 65536 you are going to be
truncating packets merged via the GRO mechanism.  You will still see
alerts, however, as many will trigger against the first packet.  Plus,
not all packets can be combined via GRO.

I was only able to set a 64k packet size using tpacket-v3, v1-2 did not
work.

However, I've never tried running suricata on RHEL, so it's possible
they are doing something differently in the kernel that properly handles
offloading.

Also remember, suricata 3.2 will disable offloading by default unless
you set this configuration in the YAML:

> capture:
>   disable-offloading: false

-Coop

On 1/20/2017 4:10 AM, erik clark wrote:
> re this bit:
> ---
> Most important thing first is to make sure you are on a Linux
> distribution with a relatively 'fresh' kernel.  I'm on 4.8.7 currently
> and at least 4.7+ is recommend.
> ---
> I am running afpacket with offloading on RHEL7 3.10 or whatever the kernel
> is for 7.3. Works like a champ. :) A newer kernel would be nice, but not
> necessary if you are running RHEL7.
> 


-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170120/c0bf258a/attachment-0002.sig>


More information about the Oisf-users mailing list