Hi Jose please read below > On 01 Jul 2015, at 13:36, Jose Vila <[email protected]> wrote: > > Hi Alfredo, > > I've tested my configuration with zbalance_ipc, and it seems to work. > > On one hand, I've loaded zbalance_ipc with the following parameters: > > /usr/local/bin/zbalance_ipc -i zc:eth0 -c 99 -n 22 -m 1 -S 0 -g 1 -d -P > /var/run/zbalance_ipc.pid > > On the other, my 22 instances of Snort with following parameters (changing zc > queue, bindcpu and log directory where necessary): > > /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i zc:99@0 > --daq pfring_zc --daq-mode passive --daq-dir /usr/local/lib/daq/ --daq-var > bindcpu=2 -R .RED1 -l /var/log/snort/red1 -G 1 -u root -g root -D > > Regarding this setup, do you see any evident problem regarding optimisation?
It looks fine. > Some additional questions: > * We've executed "cat /proc/interrupts | egrep \"CPU|eth0\"" and have seen > that only 1 or 2 interrupts per second are generated. This is normal? Is it > because the kernel being bypassed and the interrupt count not being logged at > all? 1/2 per second are ok. > * The zbalance_ipc process gets 100% CPU usage in core 0 (parameter "-S 0”), This is the timestamping thread, it is normal. Actually we could add an option to reduce the load, because snort does not need very precise timestamps, adding this to the TODO queue. > and about 20-30% CPU usage in core 1 (parameter "-g 1”). This is packet processing/distribution. > Is this normal? Yes. > Do we need the timestamping thread? Yes, snort needs packet time. > Is it related to [1]? What are its benefits, considering we only want to use > Snort in IDS mode? Without timestamps you will not see the time in the alerts. Alfredo > Thank you very much. > > [1] > http://www.ntop.org/pf_ring/who-really-needs-sub-microsecond-packet-timestamps/ > > <http://www.ntop.org/pf_ring/who-really-needs-sub-microsecond-packet-timestamps/> > > On Tue, Jun 30, 2015 at 3:09 PM, Jose Vila <[email protected] > <mailto:[email protected]>> wrote: > With RSS i can only have 16 queues (hardware limitation), so I need to use > zbalance_ipc. I'm testing it tomorrow and let you know the results. > > Thanks again. > > On Mon, Jun 29, 2015 at 6:48 PM, Alfredo Cardigliano <[email protected] > <mailto:[email protected]>> wrote: > Hi Jose > since ZC is a kernel-bypass technology, which directly access the network > card, only 1 application at a time can access a device/queue. > You have 2 options in order to distribute the load across multiple snort > instances: > 1. load the driver with multiple RSS queues, then start one snort instance > per queue: zc:eth0@0, zc:eth0@1, zc:eth0@2, and so on > 2. load the driver with a single queue, then use zbalance_ipc to distribute > the traffic across multiple software SPSC queues > > Alfredo > > > _______________________________________________ > Ntop-misc mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> > > > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
