[Oisf-users] SEPTun and memory usage
Peter Manev
petermanev at gmail.com
Thu Jul 13 12:13:11 UTC 2017
On Thu, Jul 13, 2017 at 1:57 PM, erik clark <philosnef at gmail.com> wrote:
> All, trying to find out who has worked with the SEPTun document that can
> provide some insight into how much memory they are using to sniff traffic.
>
> We (were) using 8 threads with 200 gigs of ram on a 2.5 Gb/s link. Until
> earlier this week, our drop rate was ~2%. I just moved up to 16 threads,
> still at 200 gigs of ram, since our throughput moved up a bit to ~3.1Gb/s
> and saw a 12% drop rate.
>
> We have 72 cores to work with, and 200 gigs of ram, and just moved to a 4.4
> kernel from a modified 3.10 kernel. What seems reasonable on this kind of
> hardware? We are limited to an 82598 ixgbe interface with a single link.
>
Seems very high memory consumption settings are in place in your case.
SEPTun utilized 64-80 GB of RAM on the 20Gbps. (we also used some
general guidance -
http://pevma.blogspot.se/2015/10/suricata-with-afpacket-memory-of-it-all.html
for getting the calculation of the total possible consumption).
Although sizeof(structPacket_) is much smaller now i believe - about 7-800bytes
What also your default packet size (in suricata.yaml) or the MTU ?
What is the otuput of -
suricata --dump-config |grep memcap
What is the ring size of the afpacket configuration?
Thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list