[Oisf-users] suricata 3.2.0 for 10Gb performance

erik clark philosnef at gmail.com
Fri Jan 20 22:11:13 UTC 2017


Interesting. I will doublecheck with RH on Monday regarding tpacket-v3 in
RHEL7. I know that 6 isn't compliant though.

On Fri, Jan 20, 2017 at 4:16 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Unless you are using a packet size of 65536 you are going to be
> truncating packets merged via the GRO mechanism.  You will still see
> alerts, however, as many will trigger against the first packet.  Plus,
> not all packets can be combined via GRO.
>
> I was only able to set a 64k packet size using tpacket-v3, v1-2 did not
> work.
>
> However, I've never tried running suricata on RHEL, so it's possible
> they are doing something differently in the kernel that properly handles
> offloading.
>
> Also remember, suricata 3.2 will disable offloading by default unless
> you set this configuration in the YAML:
>
> > capture:
> >   disable-offloading: false
>
> -Coop
>
> On 1/20/2017 4:10 AM, erik clark wrote:
> > re this bit:
> > ---
> > Most important thing first is to make sure you are on a Linux
> > distribution with a relatively 'fresh' kernel.  I'm on 4.8.7 currently
> > and at least 4.7+ is recommend.
> > ---
> > I am running afpacket with offloading on RHEL7 3.10 or whatever the
> kernel
> > is for 7.3. Works like a champ. :) A newer kernel would be nice, but not
> > necessary if you are running RHEL7.
> >
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170120/9a2764d7/attachment-0002.html>


More information about the Oisf-users mailing list