Hi Jose since ZC is a kernel-bypass technology, which directly access the network card, only 1 application at a time can access a device/queue. You have 2 options in order to distribute the load across multiple snort instances: 1. load the driver with multiple RSS queues, then start one snort instance per queue: zc:eth0@0, zc:eth0@1, zc:eth0@2, and so on 2. load the driver with a single queue, then use zbalance_ipc to distribute the traffic across multiple software SPSC queues
Alfredo > On 29 Jun 2015, at 13:21, Jose Vila <[email protected]> wrote: > > Also I cannot run two instances of zcount. > > First instance: > # zcount -i zc:eth0 -c 1 > ========================= > Absolute Stats: 290'517 pkts (0 drops) - 241'724'964 bytes > ========================= > > ========================= > Absolute Stats: 558'359 pkts (0 drops) - 461'319'923 bytes > Actual Stats: 267'802.09 pps (0.00 drops) - 1.76 Gbps > ========================= > > ========================= > Absolute Stats: 842'118 pkts (0 drops) - 699'454'776 bytes > Actual Stats: 283'714.45 pps (0.00 drops) - 1.90 Gbps > ========================= > > ========================= > Absolute Stats: 1'129'661 pkts (0 drops) - 942'027'493 bytes > Actual Stats: 287'499.01 pps (0.00 drops) - 1.94 Gbps > ========================= > > Second instance: > # zcount -i zc:eth0 -c 1 > pfring_zc_create_cluster error [Invalid argument] Please check that > pf_ring.ko is loaded and hugetlb fs is mounted > > But everything seems fine: > # lsmod | grep pf_ring > pf_ring 691861 1 > # cat /etc/mtab | grep huge > none /mnt/hugepages hugetlbfs rw 0 0 > > If I don't use ZC at all (-i eth0) I can get many instances of Snort working > (in my case, 22 instances) and everything seems to work fine. > > Any help will be appreciated. > > Regards, > > Jose Vila. > > On Mon, Jun 29, 2015 at 11:09 AM, Jose Vila <[email protected] > <mailto:[email protected]>> wrote: > I am testing a new box with ZC and an Intel ixgbe card, using CentOS 6.6, > PF_RING 6.1.0-9330, DAQ 2.0.5 and Snort 2.9.2 (I have some custom > preprocessors that don't work on newer versions), but I'm having some issues. > > I've configured and I'm able to load PF_RING and ixgbe drivers using the init > script: > > # /etc/init.d/pf_ring restart > Stopping PF_RING module: [ OK ] > Starting PF_RING module: grep: /etc/cluster/cluster-*conf: No existe el > fichero o el directorio > [ OK ] > > When I try to start more than a single instance of Snort, it fails: > # /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth0 --daq > pfring_zc --daq-mode passive --daq-dir /usr/local/lib/daq/ --daq-var > bindcpu=1 --daq-var clusterid=10 -R .RED1 -l /var/log/snort/red1 -G 1 -u root > -g root -D > libnuma: Warning: node 9 not allowed > numa_sched_setaffinity_v2_int() failed; abort > : Invalid argument > set_mempolicy: Invalid argument > Spawning daemon child... > My daemon child 9140 lives... > Daemon parent exiting (0) > # /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth0 --daq > pfring_zc --daq-mode passive --daq-dir /usr/local/lib/daq/ --daq-var > bindcpu=2 --daq-var clusterid=10 -R .RED2 -l /var/log/snort/red2 -G 2 -u root > -g root -D > libnuma: Warning: node 9 not allowed > numa_sched_setaffinity_v2_int() failed; abort > : Invalid argument > set_mempolicy: Invalid argument > # ps aux | grep snort > root 9140 100 1.7 881236 426032 ? Rsl 10:55 1:10 > /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth0 --daq > pfring_zc --daq-mode passive --daq-dir /usr/local/lib/daq/ --daq-var > bindcpu=1 --daq-var clusterid=10 -R .RED1 -l /var/log/snort/red1 -G 1 -u root > -g root -D > root 9144 0.0 0.0 105308 936 pts/0 S+ 10:56 0:00 grep snort > > The /var/log/messages file gives this error for the second Snort Instance: > Jun 29 10:56:07 mybox snort[9142]: pfring_zc DAQ configured to passive. > Jun 29 10:56:07 mybox snort[9142]: FATAL ERROR: Can't initialize DAQ > pfring_zc (-1) - pfring_zc_daq_initialize: Cluster failed: Invalid argument > (error 22) > > What does this "Error 22" mean? How can I solve this problem? > > Thank you very much. > > My actual configuration: > # cat /etc/pf_ring/zc/ixgbe/ixgbe.conf > RSS=1,1,1,1 > # cat /etc/pf_ring/hugepages > node=0 hugepagenumber=1024 > node=1 hugepagenumber=1024 > # cat /proc/meminfo | grep -i huge > AnonHugePages: 0 kB > HugePages_Total: 512 > HugePages_Free: 512 > HugePages_Rsvd: 0 > HugePages_Surp: 0 > Hugepagesize: 2048 kB > # cat /proc/net/pf_ring/dev/eth0/info > Name: eth0 > Index: 13 > Address: AA:BB:CC:DD:EE:FF > Polling Mode: NAPI/ZC > Type: Ethernet > Family: Intel ixgbe 82599 > Max # TX Queues: 1 > # Used RX Queues: 1 > Num RX Slots: 32768 > Num TX Slots: 32768 > # numactl --show > policy: default > preferred node: current > physcpubind: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 > cpubind: 0 1 > nodebind: 0 1 > membind: 0 1 > # numactl --hardware > available: 2 nodes (0-1) > node 0 cpus: 0 2 4 6 8 10 12 14 16 18 20 22 > node 0 size: 12277 MB > node 0 free: 10696 MB > node 1 cpus: 1 3 5 7 9 11 13 15 17 19 21 23 > node 1 size: 12287 MB > node 1 free: 10809 MB > node distances: > node 0 1 > 0: 10 20 > 1: 20 10 > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
