[Oisf-users] Hardware specs for monitoring 100GB

Michał Purzyński michalpurzynski1 at gmail.com
Fri Oct 18 21:12:53 UTC 2019 

Let's argue for a moment that using dedicated capture cards is not
necessary anymore, because your vanilla Linux has all you need, especially
with Suricata 5.0 and XDP. How does that sound??

I'd build a cluster instead of a single 100Gbit machine, for reliability
reasons, unless your space is limited.

Intel and Mellanox 40Gbit cards can handle 20-40Gbit/sec on a fairly
commodity hardware. It totally depends on your rules, of course.

Yes, everyone was expecting that ;)



On Fri, Oct 18, 2019 at 8:38 AM Drew Dixon <dwdixon at umich.edu> wrote:

> Hi, I wanted to revive this thread as I'm currently exploring the same-
> 100G+ w/ Suricata.  I'm specifically interested in NIC recommendations,
> here I see a "Napatech NT100E3-1-PTP" is being used which I will look into
> a bit, I also saw they offer a compact "NT200A02-SCC-2×100/40" which may be
> ideal for my purposes, however I wanted to poll the community a bit-
>
> Do folks have other 100G NIC recommendations that play very well with
> Suricata w/ minimal administrative overhead?  It could maybe even be
> something like 2x40G if there are more options presently, but 1x100G would
> likely really be best looking forward.
>
> I did see that Intel is about to (or may have by now) release their 800
> series NIC's w/ a 100G option FWIW.  In general I haven't heard much of
> anything on the top 100G NIC recommendations w/ Suricata.
>
> Many thanks in advance-
>
> Best,
>
> -Drew
>
> On Thu, Aug 1, 2019 at 5:28 PM Peter Manev <petermanev at gmail.com> wrote:
>
>> @Daniel
>> What type of traffic is that and what rules are you planing on using?
>>
>>
>> Thanks
>>
>>
>> On 1 Aug 2019, at 22:19, Nelson, Cooper <cnelson at ucsd.edu> wrote:
>>
>> Should be fine for ISP traffic.
>>
>>
>>
>> We are doing 20Gbit with 48 worker threads on an older AMD Piledriver box
>> and it’s around 10-15% loaded with the ‘ondemand’ CPU governor.
>>
>>
>>
>> Suricata is primarily I/O bound if you are using the Hyperscan matcher
>> and given you have a more modern bus and caching sub-system than us you
>> should be under 50% CPU @peak.  This is my personal sizing recommendation
>> to keep packet drops under 1%.
>>
>>
>>
>> If you are having performance issues or packet loss; make sure you have
>> flow bypass for tcp and tls.
>>
>>
>>
>> -Coop
>>
>>
>>
>> *From:* Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> *On
>> Behalf Of *Daniel Wallmeyer
>> *Sent:* Thursday, August 1, 2019 1:14 PM
>> *To:* 'oisf-users at lists.openinfosecfoundation.org' <
>> oisf-users at lists.openinfosecfoundation.org>
>> *Subject:* [Oisf-users] Hardware specs for monitoring 100GB
>>
>>
>>
>> Hey fellow mobsters,
>>
>>
>>
>> Looking to verify that we have spec’d our hardware correctly for
>> monitoring 100GB:
>>
>>
>>
>> 2 x Intel(R) Xeon(R) Gold 6136 CPU
>>
>> 256GB of RAM
>>
>> Napatech NT100E3-1-PTP
>>
>>
>>
>> The traffic will be fed via a single network tap.
>>
>>
>>
>> Will this be enough hardware to deal with 100Gb/s of traffic?
>>
>> At the very least it would be great to know if the CPU and RAM is enough,
>> we can work with Napatech to get the right card.
>>
>>
>>
>> Thanks,
>>
>> Dan
>>
>> This message and attachments may contain confidential information. If it
>> appears that this message was sent to you by mistake, any retention,
>> dissemination, distribution or copying of this message and attachments is
>> strictly prohibited. Please notify the sender immediately and permanently
>> delete the message and any attachments.
>>
>> . . . . .
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191018/c51c48e4/attachment-0001.html>

More information about the Oisf-users mailing list