[Oisf-users] SEPTun and memory usage

erik clark philosnef at gmail.com
Thu Jul 13 08:21:20 EDT 2017


Ring size is 20000

tpacket-v3 is not set to yes, not sure if that would make a siginificant
difference. On a 4.4 kernel, maybe?

defrag.memcap = 512mb
flow.memcap = 128mb
stream.memcap = 4gb
stream.reassembly.memcap = 4gb
host.memcap = 32 mb

mtu is 1500


On Thu, Jul 13, 2017 at 8:13 AM, Peter Manev <petermanev at gmail.com> wrote:

> On Thu, Jul 13, 2017 at 1:57 PM, erik clark <philosnef at gmail.com> wrote:
> > All, trying to find out who has worked with the SEPTun document that can
> > provide some insight into how much memory they are using to sniff
> traffic.
> >
> > We (were) using 8 threads with 200 gigs of ram on a 2.5 Gb/s link. Until
> > earlier this week, our drop rate was ~2%. I just moved up to 16 threads,
> > still at 200 gigs of ram, since our throughput moved up a bit to ~3.1Gb/s
> > and saw a 12% drop rate.
> >
> > We have 72 cores to work with, and 200 gigs of ram, and just moved to a
> 4.4
> > kernel from a modified 3.10 kernel. What seems reasonable on this kind of
> > hardware? We are limited to an 82598 ixgbe interface with a single link.
> >
>
> Seems very high memory consumption settings are in place in your case.
>
> SEPTun utilized 64-80 GB of RAM on the 20Gbps. (we also used some
> general guidance -
> http://pevma.blogspot.se/2015/10/suricata-with-afpacket-
> memory-of-it-all.html
> for getting the calculation of the total possible consumption).
>
> Although sizeof(structPacket_) is much smaller now i believe - about
> 7-800bytes
>
> What also your default packet size (in suricata.yaml) or the MTU ?
> What is the otuput of -
> suricata --dump-config |grep memcap
> What is the ring size of the afpacket configuration?
>
> Thanks
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170713/9aef0f10/attachment.html>


More information about the Oisf-users mailing list