[Oisf-users] High CPU Load with Small Ruleset at 10Gbit/s
Fabian Franz
fabfaeb at googlemail.com
Fri Aug 16 15:24:37 UTC 2019
Hi Everyone,
I am having a problem with my Suricata setup and hope that someone here
as a hint for me:
I run suricata 4.1.4 together with a myricom card on a server with 128
gigs of RAM and two 16core(+HT) Intel CPUs.
The SNF settings are 30 rings and 32/8gig for ringsizes.
As long as I do not deploy any rules, suricata runs smoothly with ~20%
CPU load per (worker) core at 9-10 Gbit/s network traffic. However, when
I deploy even small rulesets (e.g. et-shellcode) the CPU load skyrockets
with 100% for 3-6 cores and the rest at around 50%. After a few moments,
packets are dropped, with the SNF drop ring full counter increasing
rapidly (at 9-10Gbit/s, as before). I use hyperscan as mpm-algo and
tried to followed the recommendations
athttps://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/ .
<https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/>
However, I was not able to follow the recommendations regarding IRQ,
since those seemed pretty NIC specific. Is this setup also relevant for
myricom cards?
Additionally, I obviously do not use AF_PACKET but libpcap with 30 threads.
To test the bandwidth I used iperf with 30 parallel connections. Could
this be the reason why only some of the cores are running at 100% load?
If so, are there any other possiblities to simulate the bandwidth more
realistically?
Are there any myricom users here that could share performance hints for
myricom+suricata? I feel that (hardware-wise) my setup should have no
problem handling 10Gbit/s with a decent ruleset, right?
Thanks a lot
Fabian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190816/8e6d1380/attachment.html>
More information about the Oisf-users
mailing list