[Oisf-users] BPF filter for a mid/high traffic throughput

Peter Manev petermanev at gmail.com
Wed Dec 19 08:33:02 UTC 2018 


> On 19 Dec 2018, at 09:27, Carlos Lopez <clopmz at outlook.com> wrote:
> 
> Yes, between 10%-20% ...
> 

Can you please describe your setup/config , start line etc ..?

Thank you 


> Ethtool -k output:
> 
> Features for eno3:
> rx-checksumming: off
> tx-checksumming: off
>        tx-checksum-ipv4: off [fixed]
>        tx-checksum-ip-generic: off
>        tx-checksum-ipv6: off [fixed]
>        tx-checksum-fcoe-crc: on [fixed]
>        tx-checksum-sctp: off
> scatter-gather: off
>        tx-scatter-gather: off
>        tx-scatter-gather-fraglist: off [fixed]
> tcp-segmentation-offload: off
>        tx-tcp-segmentation: off
>        tx-tcp-ecn-segmentation: off [fixed]
>        tx-tcp6-segmentation: off
>        tx-tcp-mangleid-segmentation: off
> udp-fragmentation-offload: off [fixed]
> generic-segmentation-offload: off
> generic-receive-offload: off
> large-receive-offload: off
> rx-vlan-offload: off
> tx-vlan-offload: off
> ntuple-filters: off
> receive-hashing: off
> highdma: on [fixed]
> rx-vlan-filter: off
> vlan-challenged: off [fixed]
> tx-lockless: off [fixed]
> netns-local: off [fixed]
> tx-gso-robust: off [fixed]
> tx-fcoe-segmentation: on [fixed]
> tx-gre-segmentation: off [requested on]
> tx-ipip-segmentation: off [requested on]
> tx-sit-segmentation: off [requested on]
> tx-udp_tnl-segmentation: off [requested on]
> fcoe-mtu: off [fixed]
> tx-nocache-copy: off
> loopback: off [fixed]
> rx-fcs: off [fixed]
> rx-all: off
> tx-vlan-stag-hw-insert: off [fixed]
> rx-vlan-stag-hw-parse: off [fixed]
> rx-vlan-stag-filter: off [fixed]
> busy-poll: off [fixed]
> tx-gre-csum-segmentation: off [requested on]
> tx-udp_tnl-csum-segmentation: off [requested on]
> tx-gso-partial: off
> tx-sctp-segmentation: off [fixed]
> rx-gro-hw: off [fixed]
> l2-fwd-offload: off
> hw-tc-offload: off
> rx-udp_tunnel-port-offload: on
> 
> 
> From: Peter Manev <petermanev at gmail.com>
> Sent: 19 December 2018 07:48
> To: Carlos Lopez
> Cc: oisf users
> Subject: Re: [Oisf-users] BPF filter for a mid/high traffic throughput
> 
> On Wed, Dec 19, 2018 at 7:43 AM Carlos Lopez <clopmz at outlook.com> wrote:
> >
> > Hi all,
> >
> > I need to monitor a network with a 4-5GiB traffic throughout per media with one Suricata 4.1.0 (under CentOS 7.6) sensor installed in a host with 64GB RAM and 16 phys cores. To avoid losing packets and/or CPU power analyzing large packets, I am thinking to capture  all client traffic, SYN/FIN packets and the first packet of server responses (for all protocols). For example,
> 
> You should be able to handle 4-5Gbps traffic with that configuration i
> think without packet  loss (or something relatively small like 0.x% or
> similar)
> Did you experience big packet loss?
> 
> Yes, between 10%-20% ...
> 
> _______________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
> 
> 
> 
> --
> Regards,
> Peter Manev
> </clopmz at outlook.com></petermanev at gmail.com>

More information about the Oisf-users mailing list