[Oisf-users] Suricata Performance Tuning

[Edgmand, Craig]

Without Hyperscan I saw a minimal performance improvement with tcmalloc and packet loss.. nowhere near the Hyperscan rate.

Currently testing the Hyperscan compiled Suricata with tcmalloc and packet loss has decreased from .33 to .11 but it has only been running for a few hours.  Memory usage has also decreased.



From: Cloherty, Sean E <scloherty at mitre.org>
Sent: Thursday, October 25, 2018 9:51 AM
To: Edgmand, Craig <craig.edgmand at okstate.edu>; oisf-users at lists.openinfosecfoundation.org
Subject: RE: [Oisf-users] Suricata Performance Tuning

CPU Pinning was the most impactful for our environment with similar traffic rates per box.  The other was to address any stats that showed Suricata hitting any memcaps.

On test boxes I've tested CPU isolation and didn't see a significant improvement.   Hyperscan was helpful, and using Google's TCMALLOC may reduce the memory footprint https://github.com/OISF/suricata/blob/master/doc/userguide/performance/tcmalloc.rst<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOISF%2Fsuricata%2Fblob%2Fmaster%2Fdoc%2Fuserguide%2Fperformance%2Ftcmalloc.rst&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C64e3c0e817314288c7e108d63a89645c%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636760759105697687&sdata=Eo%2BxHLM2p8Qd0mruJ%2BgUQiR9AbQu5xPlJEmA%2FFAHRnA%3D&reserved=0>


From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org>> On Behalf Of Edgmand, Craig
Sent: Thursday, August 30, 2018 11:04 AM
To: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: [Oisf-users] Suricata Performance Tuning

Hello,

       I am working on a new Suricata server (Dell PowerEdge R710, 72 Gb of memory, 2 6 core procs) using a Myricom 10 card running snf v3. It needs to process between 3 and 6 Gb of traffic fed by a NetOptics agg tap.

       Currently the system is dropping about 10% of the packets and the SNF drop ring is full so that implies that Suricata is not keeping up with processing.  I currently have 20 threads running and about 16 Gb of free memory.

       I have read SEPTun, SEPTun-Mark-II, the Suricata docs, the Myricom user guide, Peter Manev old blogs, etc...

       And what I want to know is what performance tuning options have the greatest impact?   Outside of buying faster processors, more memory or a different nic card.  :)

                Is it the suricata.yaml configuration options?

                Is it hyperscan?

                Sysctl settings?

                Ethtool tweaks?

                BIOS setting?

                CPU Pinning?
                ???

Thanks very much,

Craig Edgmand
Oklahoma State University











-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181025/f87a3c6d/attachment.html>