[Oisf-users] Installing / Running Suricata with Myricom NICs

Greg Grasmehr greg.grasmehr at caltech.edu
Fri Mar 30 18:00:32 UTC 2018 

I'm sorry I should mention we are doing a consistent 5+ Gbps with bursts
to 8 and experiencing a maximum of 2% packet loss during burst periods.

Greg

On 03/30/18 10:51:36, Greg Grasmehr wrote:
> Hello,
> 
> Wow that's a lot of rings - I did a ton of testing regarding packet
> drops and different configurations and found the simplest config worked
> the best.
> 
> SNF_NUM_RINGS=2
> 
> /opt/suricata/bin/suricata -D -i p1p1 -i p1p1 -c /opt/suricata/etc/suricata/suricata.yaml -l
> 
> This basically lets Suricata decide how to use the available cores.  In
> my experiments pinning cores and increasing number of rings etc did not
> provide the best performance. 
> 
> The system is dual Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz
> 
> On a final note - I have an Arista 5100 switch that runs in DANZ tap
> mode and I implemented shunting of connections with Bro.  It works great for
> Bro and I am experimenting with shunting the Suricata port as well.
> 
> 
> On 02/20/18 17:58:16, Alexander Merck wrote:
> > Hello,
> > 
> >  
> > 
> > Hopefully someone can help shed some light on some issues we've been seeing. We
> > just installed a new instance of Suricata on a fresh RHEL7 monitoring box with
> > Myricom cards. However, we are seeing significant packet loss (20-35%) on 2-3
> > Gbps traffic when attempting to use the SNF drivers.
> > 
> >  
> > 
> >  
> > 
> > I'm suspecting that the Myricom SNF drivers are not functioning as expected.
> > We're able to run tcpdump compiled against these drivers with no issue,
> > including generating debug output. We've also found when supplying the
> > SNF_DEBUG_MASK environment variable when running Suricata, no debug output is
> > generated.
> > 
> >  
> > 
> > Also, when using Suricata with the SNF drivers, should you be able to use the
> > interface names specified by SNF (e.g. snf0)? When trying to run Suricata using
> > the -i snf0, we get an "Unable to find iface snf0: No such device" error
> > message. We are only able to run Suricata against the interface names specified
> > by the kernel (in our case, enp4s0)
> > 
> >  
> > 
> >  
> > 
> > The version of Suricata is 4.0.4 and the version of SNF is 3.0.12. Running ldd
> > shows that Suricata is linked against the SNF libraries.
> > 
> >  
> > 
> > # ldd /usr/bin/suricata
> > 
> > ...
> > 
> >         libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007f238ffb0000)
> > 
> > ...
> > 
> >         libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007f238dae4000)
> > 
> >  
> > 
> >  
> > 
> > We compiled Suricata per these instructions: https://
> > redmine.openinfosecfoundation.org/projects/suricata/wiki/Myricom. I did notice
> > that this document is over five years old, but all of the configuration options
> > seemed correct.
> > 
> >  
> > 
> > ./configure --with-libpcap-includes=/opt/snf/include/ --with-libpcap-libraries=
> > /opt/snf/lib/ --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> > 
> >  
> > 
> > And we're running Suricata with the following command:
> > 
> >  
> > 
> > SNF_NUM_RINGS=32 SNF_DATARING_SIZE=17179869184 SNF_DESCRING_SIZE=4294967296
> > SNF_FLAGS=0x1 SNF_DEBUG_MASK=3 SNF_DEBUG_FILENAME="/tmp/snf.out" /usr/bin/
> > suricata -c /etc/suricata/suricata.yaml -i enp4s0 --runmode=workers
> > 
> >  
> > 
> > The box we’re running this on has 64 cores and 256GB of RAM, so I doubt it’s a
> > resource issue…but could potentially be a configuration issue.
> > 
> >  
> > 
> >  
> > 
> > Are we missing something in the install process that may be causing these
> > issues? Any recommendations or pointers would be greatly appreciated. Thanks!
> > 
> >  
> > 
> > -Alex M
> > 
> >  
> > 
> >  
> > 
> > -- 
> > 
> > Alexander Merck
> > 
> > Duke University
> > 
> > IT Security Office
> > 
> 
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > 
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list