[Oisf-users] SEPTun and memory usage

[Cloherty, Sean E]

I’ve post this earlier and hope that this can be useful.


If you are using AF-PACKET (and why wouldn't you), the attached spreadsheet may help.  It is derived from Peter Manev's highly detailed review of various configuration options and their affect on memory utilization.  http://pevma.blogspot.com/2015/10/suricata-with-afpacket-memory-of-it-all.html



I began creating this during a Suricata training class so I could save time when testing different configurations.  Peter has reviewed it for accuracy and correct nomenclature.  I hope that it will be of some use to the community.



Sean Cloherty


From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of erik clark
Sent: Thursday, July 13, 2017 07:58 AM
To: Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] SEPTun and memory usage

All, trying to find out who has worked with the SEPTun document that can provide some insight into how much memory they are using to sniff traffic.

We (were) using 8 threads with 200 gigs of ram on a 2.5 Gb/s link. Until earlier this week, our drop rate was ~2%. I just moved up to 16 threads, still at 200 gigs of ram, since our throughput moved up a bit to ~3.1Gb/s and saw a 12% drop rate.

We have 72 cores to work with, and 200 gigs of ram, and just moved to a 4.4 kernel from a modified 3.10 kernel. What seems reasonable on this kind of hardware? We are limited to an 82598 ixgbe interface with a single link.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/c8bae458/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SuricataMemCalc.ods
Type: application/oleobject
Size: 5827 bytes
Desc: SuricataMemCalc.ods
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/c8bae458/attachment-0002.bin>