[Oisf-users] SEPTun and memory usage

Peter Manev petermanev at gmail.com
Thu Jul 13 12:28:05 UTC 2017 

On Thu, Jul 13, 2017 at 2:21 PM, erik clark <philosnef at gmail.com> wrote:
> Ring size is 20000
>
> tpacket-v3 is not set to yes, not sure if that would make a siginificant
> difference. On a 4.4 kernel, maybe?

Also if you follow the article - make sure you use 1 RSS queue.
Is the only thing you changed the number of threads - aka from 8 to 16?

I would suggest to try AFPv3
Make sure all your worker threads are locked onto the same NUMA node
as the NIC - lscpu will show you the cores and their NUMA location.

>
> defrag.memcap = 512mb
> flow.memcap = 128mb
> stream.memcap = 4gb
> stream.reassembly.memcap = 4gb
> host.memcap = 32 mb
>
> mtu is 1500
>
>
> On Thu, Jul 13, 2017 at 8:13 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Thu, Jul 13, 2017 at 1:57 PM, erik clark <philosnef at gmail.com> wrote:
>> > All, trying to find out who has worked with the SEPTun document that can
>> > provide some insight into how much memory they are using to sniff
>> > traffic.
>> >
>> > We (were) using 8 threads with 200 gigs of ram on a 2.5 Gb/s link. Until
>> > earlier this week, our drop rate was ~2%. I just moved up to 16 threads,
>> > still at 200 gigs of ram, since our throughput moved up a bit to
>> > ~3.1Gb/s
>> > and saw a 12% drop rate.
>> >
>> > We have 72 cores to work with, and 200 gigs of ram, and just moved to a
>> > 4.4
>> > kernel from a modified 3.10 kernel. What seems reasonable on this kind
>> > of
>> > hardware? We are limited to an 82598 ixgbe interface with a single link.
>> >
>>
>> Seems very high memory consumption settings are in place in your case.
>>
>> SEPTun utilized 64-80 GB of RAM on the 20Gbps. (we also used some
>> general guidance -
>>
>> http://pevma.blogspot.se/2015/10/suricata-with-afpacket-memory-of-it-all.html
>> for getting the calculation of the total possible consumption).
>>
>> Although sizeof(structPacket_) is much smaller now i believe - about
>> 7-800bytes
>>
>> What also your default packet size (in suricata.yaml) or the MTU ?
>> What is the otuput of -
>> suricata --dump-config |grep memcap
>> What is the ring size of the afpacket configuration?
>>
>> Thanks
>>
>> --
>> Regards,
>> Peter Manev
>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list