Hi Alfredo, I've tested my configuration with zbalance_ipc, and it seems to work.
On one hand, I've loaded zbalance_ipc with the following parameters: /usr/local/bin/zbalance_ipc -i zc:eth0 -c 99 -n 22 -m 1 -S 0 -g 1 -d -P /var/run/zbalance_ipc.pid On the other, my 22 instances of Snort with following parameters (changing zc queue, bindcpu and log directory where necessary): /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i zc:99@0 --daq pfring_zc --daq-mode passive --daq-dir /usr/local/lib/daq/ --daq-var bindcpu=2 -R .RED1 -l /var/log/snort/red1 -G 1 -u root -g root -D Regarding this setup, do you see any evident problem regarding optimisation? Some additional questions: * We've executed "cat /proc/interrupts | egrep \"CPU|eth0\"" and have seen that only 1 or 2 interrupts per second are generated. This is normal? Is it because the kernel being bypassed and the interrupt count not being logged at all? * The zbalance_ipc process gets 100% CPU usage in core 0 (parameter "-S 0"), and about 20-30% CPU usage in core 1 (parameter "-g 1"). Is this normal? Do we need the timestamping thread? Is it related to [1]? What are its benefits, considering we only want to use Snort in IDS mode? Thank you very much. [1] http://www.ntop.org/pf_ring/who-really-needs-sub-microsecond-packet-timestamps/ On Tue, Jun 30, 2015 at 3:09 PM, Jose Vila <[email protected]> wrote: > With RSS i can only have 16 queues (hardware limitation), so I need to use > zbalance_ipc. I'm testing it tomorrow and let you know the results. > > Thanks again. > >> >>> On Mon, Jun 29, 2015 at 6:48 PM, Alfredo Cardigliano < >>> [email protected]> wrote: >>> >>>> Hi Jose >>>> since ZC is a kernel-bypass technology, which directly access the >>>> network card, only 1 application at a time can access a device/queue. >>>> You have 2 options in order to distribute the load across multiple >>>> snort instances: >>>> 1. load the driver with multiple RSS queues, then start one snort >>>> instance per queue: zc:eth0@0, zc:eth0@1, zc:eth0@2, and so on >>>> 2. load the driver with a single queue, then use zbalance_ipc to >>>> distribute the traffic across multiple software SPSC queues >>>> >>>> Alfredo >>>> >>>> >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> >>> >>> >> >
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
