-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello all I was looking for suggestions for tweaking and I thought I'd try here first before the Snort-users mailing list. I have a 2 8-core CPU box, so 32 unique 'processor id's appear in /proc/cpuinfo. I have 64Gb of RAM. I add PF_RING: PF_RING Version : 5.4.6 ($Revision: 5651$) Ring slots : 16384 Slot version : 14 Capture TX : No [RX only] IP Defragment : No Socket Mode : Standard Transparent mode : Yes (mode 1) Total rings : 33 Total plugins : 0 I'm running an application that doesn't provide source otherwise I would link against PF_RING - hence transparent_mode=1. I'm running httpry, compiled against PF_RING: cat 9187-eth1.654 Bound Device(s) : eth1 Active : 1 Breed : Non-DNA Sampling Rate : 1 Capture Direction : RX+TX Socket Mode : RX+TX Appl. Name : <unknown> IP Defragment : No BPF Filtering : Enabled # Sw Filt. Rules : 0 # Hw Filt. Rules : 0 Poll Pkt Watermark : 1 Num Poll Calls : 5509127 Channel Id : -1 Cluster Id : 0 Slot Version : 14 [5.4.6] Min Num Slots : 32639 Bucket Len : 8192 Slot Len : 8224 [bucket+header] Tot Memory : 268435456 Tot Packets : 58267680 Tot Pkt Lost : 0 Tot Insert : 58267680 Tot Read : 58267653 Insert Offset : 26353082 Remove Offset : 26337123 TX: Send Ok : 0 TX: Send Errors : 0 Reflect: Fwd Ok : 0 Reflect: Fwd Errors: 0 Num Free Slots : 32612 This application sets a large snaplen (8192) but never seems to drop packets although it basically uses a BPF filter to only look for tcp (80 or 8080) for URL/HTTP logging. Based on information from the Metaflows blog: http://www.metaflows.com/technology/10-gbps-pf_ring-2/ I add ixgbe with InterruptThrottleRate=4000 and ethtool -C eth1 rx-usecs 1000 ethtool -C eth1 adaptive-rx off ethtool -K eth1 tso off ethtool -K eth1 gro off ethtool -K eth1 lro off ethtool -K eth1 gso off ethtool -K eth1 rx off ethtool -K eth1 tx off ethtool -K eth1 sg off and then finally set_cpu_affinity eth1 Dmesg/syslog shows: Aug 31 13:42:43 kernel: [861324.984781] ixgbe 0000:1b:00.0: eth1: MAC: 2, PHY: 14, SFP+: 5, PBA No: G43015-001 Aug 31 13:42:43 kernel: [861324.984790] ixgbe 0000:1b:00.0: eth1: Enabled Features: RxQ: 32 TxQ: 32 FdirHash RSS RSC Aug 31 13:42:43 kernel: [861324.986702] ixgbe 0000:1b:00.0: eth1: Intel(R) 10 Gigabit Network Connection Aug 31 13:42:45 kernel: [861326.767603] ixgbe 0000:1b:00.0: eth1: NIC Link is Up 10 Gbps, Flow Control: RX/TX pfcount shows roughly: Absolute Stats: [3076149 pkts rcvd][0 pkts dropped] Total Pkts=3076149/Dropped=0.0 % 3'076'149 pkts - 2'153'012'075 bytes [341'757.57 pkt/sec - 1'913.58 Mbit/sec] ========================= Actual Stats: 278440 pkts [1'000.13 ms][278'402.69 pps/1.55 Gbps] Traffic is generally > 1Gbps but never greater than 2 or 2.5. I then run 32 instances of Snort - with the DAQ binding each one to a particular thread - config daq: pfring config daq_var: clusterid=10 config daq_var: watermark=64 config daq_var: timeout=1 and - --daq-var bindcpu=XX (where XX is 0 .. 31) I'm using a BPF filter in Snort: config bpf_file: /etc/snort/bpf to limit the traffic I'm actually analysing and still I see: grep Lost /proc/net/pf_ring/*|egrep -v ': 0' /proc/net/pf_ring/9260-eth1.655:Tot Pkt Lost : 36656 /proc/net/pf_ring/9323-eth1.668:Tot Pkt Lost : 87678 This is not much across 32 instances of Snort but how can I avoid dropping anything at all? I'm processing a half of the traffic and running just over 1000 rules - - less than the listed statistics on the Metaflows site - and still dropping packets. Is there anything else I can tweak that I'm missing? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQQLclAAoJELhVoVpEMS6RM0sH/3nq400Jx24HoTlGpOrFtzVS ni4pGLie1qjDMbgKDCyB1dMXhMkyd1+G0G3gIqRISYiM/30lh1lJae1oxmvQimoQ 46YwVKdSk+NccfqOvpzIN66SVTHvNpT6cK6I8kX9Hs9VeZ3+S5KGe+zN82SYzeTv O4hT0xKEwJLMUn2Zde0sOqZ7cVXI5X06vcFG9awZsBnQC5SAw/5PupiFbojlwpx9 ZrAww3CqWB9cZJdR/e21y/DqwUwnz0HH510UVNjBdj2cCAK/omU37P3PZscfEgvV guWOwKRn0lLTzpgkugwZ5VU38e5S8AuaEN+YZlPOhHB91CHP4b8zjNU4ggvdCPA= =yjla -----END PGP SIGNATURE----- _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
