[Oisf-users] Hardware specs for monitoring 100GB

Fri Oct 18 15:37:32 UTC 2019

Hi, I wanted to revive this thread as I'm currently exploring the same-
100G+ w/ Suricata.  I'm specifically interested in NIC recommendations,
here I see a "Napatech NT100E3-1-PTP" is being used which I will look into
a bit, I also saw they offer a compact "NT200A02-SCC-2×100/40" which may be
ideal for my purposes, however I wanted to poll the community a bit-

Do folks have other 100G NIC recommendations that play very well with
Suricata w/ minimal administrative overhead?  It could maybe even be
something like 2x40G if there are more options presently, but 1x100G would
likely really be best looking forward.

I did see that Intel is about to (or may have by now) release their 800
series NIC's w/ a 100G option FWIW.  In general I haven't heard much of
anything on the top 100G NIC recommendations w/ Suricata.

Many thanks in advance-

Best,

-Drew

On Thu, Aug 1, 2019 at 5:28 PM Peter Manev <petermanev at gmail.com> wrote:

> @Daniel
> What type of traffic is that and what rules are you planing on using?
>
>
> Thanks
>
>
> On 1 Aug 2019, at 22:19, Nelson, Cooper <cnelson at ucsd.edu> wrote:
>
> Should be fine for ISP traffic.
>
>
>
> We are doing 20Gbit with 48 worker threads on an older AMD Piledriver box
> and it’s around 10-15% loaded with the ‘ondemand’ CPU governor.
>
>
>
> Suricata is primarily I/O bound if you are using the Hyperscan matcher and
> given you have a more modern bus and caching sub-system than us you should
> be under 50% CPU @peak.  This is my personal sizing recommendation to keep
> packet drops under 1%.
>
>
>
> If you are having performance issues or packet loss; make sure you have
> flow bypass for tcp and tls.
>
>
>
> -Coop
>
>
>
> *From:* Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> *On
> Behalf Of *Daniel Wallmeyer
> *Sent:* Thursday, August 1, 2019 1:14 PM
> *To:* 'oisf-users at lists.openinfosecfoundation.org' <
> oisf-users at lists.openinfosecfoundation.org>
> *Subject:* [Oisf-users] Hardware specs for monitoring 100GB
>
>
>
> Hey fellow mobsters,
>
>
>
> Looking to verify that we have spec’d our hardware correctly for
> monitoring 100GB:
>
>
>
> 2 x Intel(R) Xeon(R) Gold 6136 CPU
>
> 256GB of RAM
>
> Napatech NT100E3-1-PTP
>
>
>
> The traffic will be fed via a single network tap.
>
>
>
> Will this be enough hardware to deal with 100Gb/s of traffic?
>
> At the very least it would be great to know if the CPU and RAM is enough,
> we can work with Napatech to get the right card.
>
>
>
> Thanks,
>
> Dan
>
> This message and attachments may contain confidential information. If it
> appears that this message was sent to you by mistake, any retention,
> dissemination, distribution or copying of this message and attachments is
> strictly prohibited. Please notify the sender immediately and permanently
> delete the message and any attachments.
>
> . . . . .
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191018/de7e3ac5/attachment.html>