[Oisf-users] SEPTun and memory usage

erik clark philosnef at gmail.com
Fri Jul 14 09:44:20 EDT 2017


Sean, thanks for this. I think I had actually googled up your paper before.
:) This memory calculator is very nice.

I noticed that when I squashed rss queue to 1 on a 4.12 kernel, I went from
less than .05% packet loss to ~9% packet loss. Any idea why that might have
occured? I have read some conflicting things about rss queues depending on
kernel version, namely this bit:

AF_PACKET: 1 RSS queue and stay on kernel <=4.2 or make sure you have
>=4.4.16, >=4.6.5 or >=4.7. Exception: if RSS is symmetric cluster-type
'cluster_qm' can be used to bind Suricata to the RSS queues. Disable NIC
offloading except the rx/tx csum.

from
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture

Thank you for all the help tuning out memory issues suri. My goal is to try
and get packet loss below .01%. Heres for trying!


On Fri, Jul 14, 2017 at 9:23 AM, Cloherty, Sean E <scloherty at mitre.org>
wrote:

> I’ve post this earlier and hope that this can be useful.
>
>
>
> If you are using AF-PACKET (and why wouldn't you), the attached
> spreadsheet may help.  It is derived from Peter Manev's highly detailed
> review of various configuration options and their affect on memory
> utilization.  http://pevma.blogspot.com/2015/10/suricata-with-
> afpacket-memory-of-it-all.html
>
>
>
> I began creating this during a Suricata training class so I could save
> time when testing different configurations.  Peter has reviewed it for
> accuracy and correct nomenclature.  I hope that it will be of some use to
> the community.
>
>
>
> Sean Cloherty
>
>
>
>
>
> *From:* Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.
> org] *On Behalf Of *erik clark
> *Sent:* Thursday, July 13, 2017 07:58 AM
> *To:* Open Information Security Foundation <oisf-users at lists.
> openinfosecfoundation.org>
> *Subject:* Re: [Oisf-users] SEPTun and memory usage
>
>
>
> All, trying to find out who has worked with the SEPTun document that can
> provide some insight into how much memory they are using to sniff traffic.
>
>
>
> We (were) using 8 threads with 200 gigs of ram on a 2.5 Gb/s link. Until
> earlier this week, our drop rate was ~2%. I just moved up to 16 threads,
> still at 200 gigs of ram, since our throughput moved up a bit to ~3.1Gb/s
> and saw a 12% drop rate.
>
>
>
> We have 72 cores to work with, and 200 gigs of ram, and just moved to a
> 4.4 kernel from a modified 3.10 kernel. What seems reasonable on this kind
> of hardware? We are limited to an 82598 ixgbe interface with a single link.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/02205a39/attachment.html>


More information about the Oisf-users mailing list