Ah.. so if only 16 queues, I should go back to only 16 copies of snort? On 2 December 2015 at 15:06, Alfredo Cardigliano <[email protected]> wrote:
> Sorry, forgot to tell you RSS on ixgbe supports up to 16 queues. > > Alfredo > > On 02 Dec 2015, at 16:06, Alfredo Cardigliano <[email protected]> > wrote: > > It looks fine, you can omit MQ. > > Alfredo > > On 02 Dec 2015, at 16:04, James <[email protected]> wrote: > > Many thanks for the help Alfredo. So I'll crank things up to use all CPU's > and that gives me (I've converted it to a for loop): > > for i in `seq 0 1 48`; do > snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf > -l /logs/snort/eth4_eth5/instance-$1 --daq-dir=/usr/local/lib/daq --daq > pfring_zc --daq-mode passive -i zc:eth4@$1,zc:eth5@$1 --daq-var > clusterid=$1 --daq-var idsbridge=1 --daq-var bindcpu=$1 > done > > Is this the correct load_driver.sh setting to match? I'm not sure about > the MQ values? > insmod ./ixgbe.ko MQ=1,1,1,1 RSS=48,48,48,48 > > On 2 December 2015 at 14:15, Alfredo Cardigliano <[email protected]> > wrote: > >> Please use README.1st as reference. >> What you need to know: >> 1. Use --daq-var clusterid=K where K is a unique number per snort >> instance, used for resource allocation >> 2. Use --daq-var bindcpu=K where K is the core id for affinity, please >> ignore interrupts affinity with ZC >> 3. Use “,” in -i in please of “+” for interfaces aggregation, “+” is used >> for IPS/IDS-bridge mode >> 4. We usually recommend using only the CPU where the NIC is connected, >> however since snort is (likely) the bottleneck, feel free to use all the >> cores available, setting RSS=N,N where N is the number of cores and the >> number of snort instances. >> >> Alfredo >> >> On 02 Dec 2015, at 15:08, James <[email protected]> wrote: >> >> Follow-up question - should I use the cluster-id parameter? >> >> This uses it: >> >> https://svn.ntop.org/svn/ntop/trunk/attic/PF_RING/userland/snort/pfring-daq-module-zc/README.1st >> >> But this does not: >> http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/ >> >> On 2 December 2015 at 14:01, James <[email protected]> wrote: >> >>> Hi all, >>> >>> I posted a few weeks ago and have since got pf_ring with ZC working. I'm >>> now trying to decide how best to configure snort (in IDS mode). My server >>> has 4 X 12 core CPU's and two NIC's which are being fed one half each of a >>> 10Gb connection. >>> >>> I have a few key questions: >>> - Within the ixgbe zc load_drive.sh script, would the default 16 queue >>> option do, or would you choose something different: insmod ./ixgbe.ko >>> MQ=1,1,1,1 RSS=16,16,16,16 >>> >>> - Assuming the choice of 16 above, should I start 16 copies of Snort >>> like this (variation on the example from ntop website)? >>> snort -q --pid-path /var/run --create-pidfile -D -c >>> /etc/snort/snort.conf -l /var/log/snort/eth4_eth5/instance-1 >>> --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@0 >>> +zc:eth5@0 --daq-var idsbridge=1 --daq-var bindcpu=0 >>> >>> The information on http://www.metaflows.com/features/pf_ring about CPU >>> affinity and interrupts has confused me somewhat. >>> >>> Thanks >>> J. >>> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc >
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
