[Oisf-users] High Suricata capture.kernel_drops
Cloherty, Sean E
scloherty at mitre.org
Wed Jul 11 18:05:46 UTC 2018
Well I am using HS, but it looks like Fatema is using RHEL or CENTOS and getting HS installed and recompiling isn't that much of a quick hit.
-----Original Message-----
From: Eric Leblond [mailto:eric at regit.org]
Sent: Wednesday, July 11, 2018 13:45 PM
To: Cloherty, Sean E <scloherty at mitre.org>; fatema bannatwala <fatema.bannatwala at gmail.com>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] High Suricata capture.kernel_drops
Hello,
Hi,
On Wed, 2018-07-11 at 14:53 +0000, Cloherty, Sean E wrote:
> Hello Fatema -
>
> SEPTun is a great resource for sure and from that you might want to
> focus first on the CPU affinity and only include those in the same
> NUMA node as the NIC for workers. (See SEPTun page 14)
>
> Some other quick hits –
>
> Set threads to auto and specify which CPUs (by number or range of #s)
> instead of “all” for the workers to use. Also – I think you can
> choose to use CPUs not on the same NUMA node for the management-cpu-
> set so you can save the rest for workers.
> Install the NIC driver from Intel
> In AF-PACKET – enable tpacketv3
> Change the MPM-ALGO to AC-KS
Why are you not using hyperscan? It is supposed to have better performance than the previous algorithms.
BR,
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list