[Oisf-users] BPF filter for a mid/high traffic throughput

Carlos Lopez clopmz at outlook.com
Wed Dec 19 08:27:47 UTC 2018

Yes, between 10%-20% ...

Ethtool -k output:

Features for eno3:
rx-checksumming: off
tx-checksumming: off
        tx-checksum-ipv4: off [fixed]
        tx-checksum-ip-generic: off
        tx-checksum-ipv6: off [fixed]
        tx-checksum-fcoe-crc: on [fixed]
        tx-checksum-sctp: off
scatter-gather: off
        tx-scatter-gather: off
        tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
        tx-tcp-segmentation: off
        tx-tcp-ecn-segmentation: off [fixed]
        tx-tcp6-segmentation: off
        tx-tcp-mangleid-segmentation: off
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: off
tx-vlan-offload: off
ntuple-filters: off
receive-hashing: off
highdma: on [fixed]
rx-vlan-filter: off
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: on [fixed]
tx-gre-segmentation: off [requested on]
tx-ipip-segmentation: off [requested on]
tx-sit-segmentation: off [requested on]
tx-udp_tnl-segmentation: off [requested on]
fcoe-mtu: off [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
busy-poll: off [fixed]
tx-gre-csum-segmentation: off [requested on]
tx-udp_tnl-csum-segmentation: off [requested on]
tx-gso-partial: off
tx-sctp-segmentation: off [fixed]
rx-gro-hw: off [fixed]
l2-fwd-offload: off
hw-tc-offload: off
rx-udp_tunnel-port-offload: on

From: Peter Manev <petermanev at gmail.com>
Sent: 19 December 2018 07:48
To: Carlos Lopez
Cc: oisf users
Subject: Re: [Oisf-users] BPF filter for a mid/high traffic throughput

On Wed, Dec 19, 2018 at 7:43 AM Carlos Lopez <clopmz at outlook.com> wrote:
> Hi all,
> I need to monitor a network with a 4-5GiB traffic throughout per media with one Suricata 4.1.0 (under CentOS 7.6) sensor installed in a host with 64GB RAM and 16 phys cores. To avoid losing packets and/or CPU power analyzing large packets, I am thinking to capture  all client traffic, SYN/FIN packets and the first packet of server responses (for all protocols). For example,

You should be able to handle 4-5Gbps traffic with that configuration i
think without packet  loss (or something relatively small like 0.x% or
Did you experience big packet loss?

Yes, between 10%-20% ...

> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

Peter Manev
</clopmz at outlook.com></petermanev at gmail.com>

More information about the Oisf-users mailing list