[Oisf-users] Capture loss ~50% reported using Myricom with Suri v 5.0.2

Edgmand, Craig craig.edgmand at okstate.edu
Fri Jun 19 18:09:33 UTC 2020 

Hi Fetema,

Not an expert, but have you tried increasing these


SNF_DATARING_SIZE=4096MB

SNF_DESCRING_SIZE=1024MB

If you have the memory, I would multiply these by a factor of 4.  On my servers these numbers are huge. Might also increase buffer size.

Thanks,

Craig

From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of fatema bannatwala
Sent: Friday, June 19, 2020 12:59 PM
To: Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Subject: [Oisf-users] Capture loss ~50% reported using Myricom with Suri v 5.0.2

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe
Hello Experts,

Need some help tuning down our prod suricata box running Suricata v 5.0.2 with Myricom NIC: 10G-PCIE-8B-S myri_snf 3.0.20.50894

It is consistently reporting ~50% capture loss, calculated based off of the capture.kernel_packets and capture.kernel_dropped values reported in stats.log file.

I have followed the https://blog.inliniac.net/2012/07/10/suricata-on-myricom-capture-cards/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.inliniac.net%2F2012%2F07%2F10%2Fsuricata-on-myricom-capture-cards%2F&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Cfebd2ad7dac24eddbea508d8147a76d5%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C1%7C637281863494345977&sdata=XcrXhcZVFFiw280MZJxI6JVssD%2BdlYEyyYJJdsSIxLg%3D&reserved=0>
guide to pin the cpus to the worker nodes and use pcap.buffer_size to increase the SNF dataring size, but no effect..

We have one Myri card connected to p2p1 and two NUMA nodes, each with 8 cores (16 HT):
NUMA node0 CPU(s):     0-7,16-23
NUMA node1 CPU(s):     8-15,24-31
OS: Centos 7

Any help in the right direction would be appreciated! :)

Thanks!
Fatema

Following is settings from suricata.yml file


# Myricom support

pcap:

  - interface: p2p1

    threads: 14

    buffer-size: 2gb

    checksum-checks: no

pcap-file:

  checksum-checks: auto



threading:

  set-cpu-affinity: yes

  cpu-affinity:

    - management-cpu-set:

        cpu: [ "0" ]

        mode: "balanced"

        prio:

          default: "low"

    - worker-cpu-set:

        cpu: [ "1-7","9-15" ]

        mode: "exclusive"

        prio:

          default: "high"


Following is the currently recorded stats.log:

------------------------------------------------------------------------------------

Date: 6/19/2020 -- 10:55:36 (uptime: 0d, 04h 04m 10s)

------------------------------------------------------------------------------------

Counter                                       | TM Name                   | Value

------------------------------------------------------------------------------------

capture.kernel_packets                        | Total                     | 28447139411

capture.kernel_drops                          | Total                     | 27910518132

capture.kernel_ifdrops                        | Total                     | 6034

decoder.pkts                                  | Total                     | 536633135



SNF parameters:





SNF_APP_ID=32

SNF_DATARING_SIZE=4096MB

SNF_DESCRING_SIZE=1024MB

SNF_NUM_RINGS=14

SNF_FLAGS=0x1



LD_PRELOAD="/opt/snf/lib/libpcap.so.1"



OPTIONS="--user suricata --group suricata --pcap"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200619/41b0aacf/attachment-0001.html>

More information about the Oisf-users mailing list