[Oisf-users] _fail Stats Q

[MILESTONE Kerry]

Hello,


I shall answer... starting with explaining the setup using either afpacket or pfring natively and on their own to suricata with processes and interrupts nicely pinned there are no concerns and some impressively satisfying results.


Alas, this sensor box also requires multiple tools and essentially multi-tennant and not everything plays well.  So, configuring up kvm instances to give a 'customer' their own rooms for just their packets or native processes, lua scripts etc which is also now working.  There is of course some cache coherency blips which will wait for another day when it really bites - the list discussion recently about affinity have been good food but for now I have to focus on the operations and getting a service running.


The workaround, and currently somehow working, is to use zbalance_ipc on the actual nic and remap an output to a dummy interface.  suricata appears happy to read from this single interface with with no kernel drops to give many threads to the worker cores.  i guess at some stage multiple kernel bypass methods may melt a bus somewhere, and there are very likely better ways, but for now I have something working.  Lowering rx nic queues seems to have helped.


Regards,
Kerry








________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Kerry Milestone <Kerry.Milestone at ed.ac.uk>
Sent: 06 March 2018 11:54
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] _fail Stats Q
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180307/fac39e61/attachment-0002.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180307/fac39e61/attachment-0002.ksh>