Hello, I’ve been trying to run Suricata with the DPDK packet capture mode, but the number of dropped packets is way bigger when compared to AF-PACKET.
I compared both methods with the same input traffic (~25Gbps of TCP packets), the same ruleset (emerging threats), the same NIC (ConnectX-6 Dx) configuration, set up RSS and used 32 cores/threads.
I also configured hugepages:
HugePages_Total: 4096
HugePages_Free: 4096
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
Hugetlb: 10485760 kB
Some additional info:
- Suricata 8.0.2 installed from source to enable DPDK
- Ubuntu 24.04
- DPDK 25.07.0
When running with AF-PACKET, all packets where received and processed, while with DPDK, half of the packets were dropped. I’m annexing the stats.log and suricata.log from both. I’m also attaching the config files used for them.
I’ve read other threads (thread1, thread2, thread3) about DPDK’s performance, and the main suggestion was to increase the descriptors to 32768. The performance I obtained was the one I reported previously. You can see the actual results on the files I’m attaching.
Is AF-PACKET really supposed to outperform DPDK, or did I miss some configuration?
af_packet.yaml (72.6 KB)
af_packet_suricata.log (10.9 KB)
af_packet_stats.log (48.4 KB)
dpdk.yaml (71.6 KB)
dpdk_suricata.log (11.0 KB)
dpdk_stats.log (41.6 KB)