[Oisf-users] Suricata with Myricom NIC using only one Worker Thread
Victor Julien
lists at inliniac.net
Mon Jul 1 18:52:37 UTC 2019
On 28-06-19 09:02, Fabian Franz wrote:
> Hi all,
>
>
> I am currently trying to get Suricata to work together with a Myricom
> card running a Sniffer10G driver. The problems I have seem to be
> somewhat similar to what Alexander Merck described on this list in Feb
> 2018
> (https://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-February/007790.html)
> but I could not find an answer to the problem in there and did not want
> to dig up such an old thread.
>
>
> I have installed the card and the driver on a Ubuntu 18.04 server with
> 64gigs of RAM and 16 cores (including HT). I followed the instructions
> here: https://blog.inliniac.net/2012/07/10/suricata-on-myricom-capture-cards/ and
> here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Myricomto
> build and run suricata.
>
> The card seems to be working and when viewing the debug output using one
> of the snf driver tools everything seems fine. However, no debug output
> is generated when setting the debug flag while running suricata.
>
> Now this wouldn't bother me too much if it wasn't for the stats.log
> file. This looks like the following:
>
>
<snip>
>
>
> Seemingly, only one worker thread is getting a considerable amount of
> packets while the others are more or less idle. This can also be
> confirmed when looking at the load of the single threads using htop.
> Surely this can't be right? Did I miss anything when setting up the
> driver and/or suricata? Is there a configuration flag or smiliar that I
> did not set?
>
>
> The traffic I am currently seeing varies between 1 and 6Gbps. Especially
> when I am seeing more than 3 Gbps, the capture.kernel_drops counter also
> of W#01 rises pretty quickly to more than 10%.
>
>
> I would be very grateful for any help or hints!
I wonder if this could be related to how the card or snf software load
balances the traffic. Could all traffic have some kind of encapsulation
that leads the card to send it all to queue 0? It's been too long since
I've looked at the snf options, so I can't remember what settings there are.
Can you share a stats.log record? Perhaps it will hold some clues.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list