[Oisf-users] Suricata Performance Tuning

Edgmand, Craig craig.edgmand at okstate.edu
Mon Oct 29 13:20:14 UTC 2018 

Other than reduced memory usage I saw no performance gains with tcmalloc.

From: Cloherty, Sean E <scloherty at mitre.org>
Sent: Thursday, October 25, 2018 9:51 AM
To: Edgmand, Craig <craig.edgmand at okstate.edu>; oisf-users at lists.openinfosecfoundation.org
Subject: RE: [Oisf-users] Suricata Performance Tuning

CPU Pinning was the most impactful for our environment with similar traffic rates per box.  The other was to address any stats that showed Suricata hitting any memcaps.

On test boxes I've tested CPU isolation and didn't see a significant improvement.   Hyperscan was helpful, and using Google's TCMALLOC may reduce the memory footprint https://github.com/OISF/suricata/blob/master/doc/userguide/performance/tcmalloc.rst<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOISF%2Fsuricata%2Fblob%2Fmaster%2Fdoc%2Fuserguide%2Fperformance%2Ftcmalloc.rst&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C64e3c0e817314288c7e108d63a89645c%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636760759105697687&sdata=Eo%2BxHLM2p8Qd0mruJ%2BgUQiR9AbQu5xPlJEmA%2FFAHRnA%3D&reserved=0>


From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org>> On Behalf Of Edgmand, Craig
Sent: Thursday, August 30, 2018 11:04 AM
To: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: [Oisf-users] Suricata Performance Tuning

Hello,

       I am working on a new Suricata server (Dell PowerEdge R710, 72 Gb of memory, 2 6 core procs) using a Myricom 10 card running snf v3. It needs to process between 3 and 6 Gb of traffic fed by a NetOptics agg tap.

       Currently the system is dropping about 10% of the packets and the SNF drop ring is full so that implies that Suricata is not keeping up with processing.  I currently have 20 threads running and about 16 Gb of free memory.

       I have read SEPTun, SEPTun-Mark-II, the Suricata docs, the Myricom user guide, Peter Manev old blogs, etc...

       And what I want to know is what performance tuning options have the greatest impact?   Outside of buying faster processors, more memory or a different nic card.  :)

                Is it the suricata.yaml configuration options?

                Is it hyperscan?

                Sysctl settings?

                Ethtool tweaks?

                BIOS setting?

                CPU Pinning?
                ???

Thanks very much,

Craig Edgmand
Oklahoma State University











-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181029/864e2770/attachment.html>

More information about the Oisf-users mailing list