[Oisf-users] Suricata with Myricom NIC using only one Worker Thread
Michał Purzyński
michalpurzynski1 at gmail.com
Mon Jul 1 20:02:54 UTC 2019
Can you double-check if your Suricata is linked against libpcap with
myricom support?
ldd `which suricata` (unless you load the snf-ed libpcap in a different
way, like with LD_ variables)
Setting the SNF_DEBUG_MASK=3 is also helpful to see if the libsnf is being
used
What's the output of myri_counters?
Victor might be right here, can you share some small packet dump, to see if
your traffic is encapsulated in a way SNF cannot understand?
On Mon, Jul 1, 2019 at 11:52 AM Victor Julien <lists at inliniac.net> wrote:
> On 28-06-19 09:02, Fabian Franz wrote:
> > Hi all,
> >
> >
> > I am currently trying to get Suricata to work together with a Myricom
> > card running a Sniffer10G driver. The problems I have seem to be
> > somewhat similar to what Alexander Merck described on this list in Feb
> > 2018
> > (
> https://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-February/007790.html
> )
> > but I could not find an answer to the problem in there and did not want
> > to dig up such an old thread.
> >
> >
> > I have installed the card and the driver on a Ubuntu 18.04 server with
> > 64gigs of RAM and 16 cores (including HT). I followed the instructions
> > here:
> https://blog.inliniac.net/2012/07/10/suricata-on-myricom-capture-cards/
> and
> > here:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Myricomto
> > build and run suricata.
> >
> > The card seems to be working and when viewing the debug output using one
> > of the snf driver tools everything seems fine. However, no debug output
> > is generated when setting the debug flag while running suricata.
> >
> > Now this wouldn't bother me too much if it wasn't for the stats.log
> > file. This looks like the following:
> >
> >
> <snip>
> >
> >
> > Seemingly, only one worker thread is getting a considerable amount of
> > packets while the others are more or less idle. This can also be
> > confirmed when looking at the load of the single threads using htop.
> > Surely this can't be right? Did I miss anything when setting up the
> > driver and/or suricata? Is there a configuration flag or smiliar that I
> > did not set?
> >
> >
> > The traffic I am currently seeing varies between 1 and 6Gbps. Especially
> > when I am seeing more than 3 Gbps, the capture.kernel_drops counter also
> > of W#01 rises pretty quickly to more than 10%.
> >
> >
> > I would be very grateful for any help or hints!
>
> I wonder if this could be related to how the card or snf software load
> balances the traffic. Could all traffic have some kind of encapsulation
> that leads the card to send it all to queue 0? It's been too long since
> I've looked at the snf options, so I can't remember what settings there
> are.
>
> Can you share a stats.log record? Perhaps it will hold some clues.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190701/ee9655e9/attachment.html>
More information about the Oisf-users
mailing list