Project

General

Profile

Actions

Feature #269

closed

Proccesing Bottleneck

Added by Benjamin Flament almost 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

I'm currently testing suricata for a project where we need it to stand high throughputs. Our current goal is to get to 1Gbps in inline mode, but when I run it with 1Gbps of traffic, the queues get full and packets are dropped. Observing the CPU consumed by each thread I noticed that the veredict thread was almost consuming an entire core of the CPU, which makes me think it may be the problem. I also tried to run 2 instances of suricata and splitted the traffic in two (almost equal) queues based on packets source IP and got it running with no problem.

I suspect the problem may be the RecieveNFQ or Veredict Thread as 1 proccess by itself couldn't handle all the traffic and the CPU was still running at half capacity. Would it be possible to have various ReceiveNFQ and Veredict threads so that their load is shared by many cores?


Files

multiqueue.tgz (15.9 KB) multiqueue.tgz Eric Leblond, 01/10/2011 03:13 PM
Actions

Also available in: Atom PDF