Suricata 7.0.0 IPS AF_Packet+RSS huge drop in performance

sbhardwaj · August 23, 2023, 8:38am

Hi, Suresh!
Thank you for sharing the stats. Following is what I could come up with:

Since you’re using cluster_qm type, please make sure that:
a. RSS symmetric hashing is enabled
b. Disable NIC offloading except rx/tx checksums
c. Set proper affinity
d. any other optimizations you can think of (check the ones mentioned by Andreas: Suricata high capture.kernel_drops count - #8 by Andreas_Herz)
Try increasing your ring-size
AF_PACKET v2 seems to be recommended w IPS, so make sure you’re using that

Drops shouldn’t be as high as they are currently indeed. Let’s see if something works out with the above mentioned things.

Topic		Replies	Views
High Packet Drop Rate with DPDK compared to AF_PACKET in Suricata 7.0.7 Help suricata , dpdk	8	116	October 28, 2024
High number of kernel_drops Help	13	3594	March 2, 2021
Help with packets drop Help	10	53	October 5, 2024
Kernel Drops and Optimization Recommendations Help	6	2031	June 29, 2021
High Suricata capture.kernel_drops Help	13	372	February 23, 2024