[Oisf-users] Hardware specs for monitoring 100GB

[Nelson, Cooper]

Should be fine for ISP traffic.

We are doing 20Gbit with 48 worker threads on an older AMD Piledriver box and it’s around 10-15% loaded with the ‘ondemand’ CPU governor.

Suricata is primarily I/O bound if you are using the Hyperscan matcher and given you have a more modern bus and caching sub-system than us you should be under 50% CPU @peak.  This is my personal sizing recommendation to keep packet drops under 1%.

If you are having performance issues or packet loss; make sure you have flow bypass for tcp and tls.

-Coop

From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Daniel Wallmeyer
Sent: Thursday, August 1, 2019 1:14 PM
To: 'oisf-users at lists.openinfosecfoundation.org' <oisf-users at lists.openinfosecfoundation.org>
Subject: [Oisf-users] Hardware specs for monitoring 100GB

Hey fellow mobsters,

Looking to verify that we have spec’d our hardware correctly for monitoring 100GB:

2 x Intel(R) Xeon(R) Gold 6136 CPU
256GB of RAM
Napatech NT100E3-1-PTP

The traffic will be fed via a single network tap.

Will this be enough hardware to deal with 100Gb/s of traffic?
At the very least it would be great to know if the CPU and RAM is enough, we can work with Napatech to get the right card.

Thanks,
Dan
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190801/045c4e00/attachment.html>