[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Zeek] zbalance_ipc and Zeek
From: C Blair <mnmblair () hotmail ! com>
Date: 2019-03-23 12:58:24
Message-ID: DM6PR17MB2076C84C135A31F48E577B31D55C0 () DM6PR17MB2076 ! namprd17 ! prod ! outlook ! com
[Download RAW message or body]
Hi Bill,
I just wanted to follow up. I have had success after disabling hyper-threading. I \
have also isolated the cores for the queue consumers. Zeek and Snort now reliably \
process over 2Gbps simultaneously with zbalance_ipc. The traffic is a vanilla \
enterprise profile generated by a traffic generator. I will look into tuning the Zeek \
analyzers. Thank you for the assist.
CB
On Mar 18, 2019, at 6:41 AM, william de ping <bill.de.ping@gmail.com> wrote:
Hi Colin
Have you seen any difference in traffic rate of virtual NICs between zbalance_ipc and \
RSS LB ? Can you send htop when bro workers are running ?
Drops should mean that a worker reaches more than 100% CPU usage, if this is the \
case, I would dive into the world of cpuset. With this pseudo directory you can view \
what other processes are running on a core in addition to bro's instance so you could \
make the core exclusive for bro and the OS will use other available cpus for the rest \
of the processes. I would first resort to the difference between RSS and zbalance_ipc \
prior to making cpus exclusive.
There are many tweaks in bro, but it really depends on the type of traffic and what \
you do with it. using dump-events script you get a sense of the most active events. \
grep these events and search for the bro scripts that registered them, it could very \
well be the case that no log file will be generated in that script. Such scripts \
could be irrelevant so you can switch off their analyzer (comment loading them in \
init-default.bro)
Let me know how its working out for you
B
________________________________
From: C Blair <mnmblair@hotmail.com>
Sent: Sunday, March 17, 2019 6:09 PM
To: bill.de.ping@gmail.com
Subject: Re: [Zeek] zbalance_ipc and Zeek
Hi Bill,
The server is a single socket. Attached is my lstopo output. I have run zbalance_ipc \
with the -p option. This sends the packet per queue data to stdout and you can view \
what is happening in real time. The queues receive with zero drops and then Zeek \
drops packets equally. I have pinned zbalance_ipc to logical core 15 and the Bro \
workers are pinned to 1-10 logical cores. I have reserved core 0 for packet time \
stamping. I let CentOS schedule the remaining logical cores. I have not tried turning \
off Hyper-threading. Can you recommend core affinity for my given hw?
Are there certain analyzers you recommend turning off and how do I accomplish that?
Thanks again,
CB
On Mar 17, 2019, at 1:38 PM, william de ping <bill.de.ping@gmail.com> wrote:
Hi,
I would check the followings :
* Numa node configuration - This server should have 2 CPU sockets, if you pinned \
zbalance_ipc to a numa node which is not directly connected to the PCI bus hosting \
the NIC all traffic will go through the QPI and that could explain why it will be \
slower. I would check that the zbalance_ipc app is pinned to the CPU socket that is \
closer to the PCI NIC to avoid this
* Check line rate on each virtual interface using \
PF_RING/userland/examples/pfcount. check on : zc:99@[0,1,...,9] after using \
zbalance_ipc and without zbalance_ipc using the RSS. This should give you a clue if \
there is a specific worker instance that is receiving significantly more traffic than \
others (RSS and zbalance_ipc LB might differ). It really depends on the type of \
traffic, but I assume that on a 2.3Ghz processor, a single bro worker can process \
anything between 150-400mbps.
* Run a single instance of bro with local configuration and dump-events.bro \
script (you can redef include_args=F to get only events name without parameters). \
Output, sort, uniq -c it to get a clue on what event occur more often. Some analyzers \
might be turned off to save CPU cycles.
Let me know if it helps
B
________________________________
From: C Blair
Sent: Sunday, March 17, 2019 8:34 AM
To: bill.de.ping@gmail.com
Cc: zeek@zeek.org
Subject: Re: [Zeek] zbalance_ipc and Zeek
Hi Bill,
Thank you for the assist. Currently, Zeek cannot reliably capture more than 300Mbps \
with this configuration. When I remove zbalance_ipc and use RSS with \
num_rss_queues=lb_procs Zeek can capture up to 2Gbps. I need to use zbalance_ipc \
because I use a single capture interface with multiple consuming applications, i.e. \
Zeek and Snort. It seems obvious that a software load balancer will perform less than \
hardware, however, I don't see the same significant performance drop with other \
consuming applications like Snort.
Ingress Line speed:
I am using a traffic generator so I can regulate up to 10Gbps.
ZEEK node.cfg
[manager]
type=manager
host=localhost
[logger]
type=logger
host=localhost
[proxy-1]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=zc:99
lb_method=pf_ring
lb_procs=10
pin_cpus=1,2,3,4,5,6,7,8,9,10
ZBALANCE_IPC run config
zbalance_ipc -i zc:eth0 -c 99 -n 10 -m 4 -g 15 -S 0
PFRING-ZC INFO
PF_RING Version : 7.5.0 (unknown)
Total rings : 22
Standard (non ZC) Options
Ring slots : 65536
Slot version : 17
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
Name : ethØ
Index : 40
Address : XX:XX:XX:XX:XX:XX
Polling Mode : NAPI/ZC
Type : Ethernet
Family : ixgbe
TX Queues : 1
RX Queues : 1
Num RX Slots : 32768
Num TX Slots : 32768
System Specs:
Xeon D-1587 16 cores, 32 logical, 1.7 Ghz, 2.3 Ghz turbo, 20M Cache
128GB DDR4 2133Mhz
8TB SSD
Intel 10GBase-T X557 ixgbe
On Mar 17, 2019, at 9:08 AM, william de ping <bill.de.ping@gmail.com> wrote:
Hi Colin,
Can you please clarify your deployment ? (node.cfg file, NIC type, PF_RING version, \
zbalance_ipc parameters and the ingress line rate )
Thanks
B
On Fri, Mar 15, 2019 at 12:38 AM COLIN BLAIR \
<mnmblair@hotmail.com<mailto:mnmblair@hotmail.com>> wrote: Hi All,
Does anyone have a success story using zbalance_ipc and Zeek. We are getting very \
high packet loss using zbalance_ipc. When we remove zbalance_ipc, Zeek performs well \
on pf_ring zero copy with RSS. Any advice is appreciated.
R,
CB
_______________________________________________
Zeek mailing list
zeek@zeek.org<mailto:zeek@zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek<http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> Hi Bill,</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> I just wanted to follow up. I have had success after disabling \
hyper-threading. <span style="font-family: Calibri, Helvetica, sans-serif; \
background-color: rgb(255, 255, 255); display: inline !important"> I have also \
isolated the cores for the queue consumers. </span>Zeek and Snort now reliably \
process over 2Gbps simultaneously with zbalance_ipc. The traffic is a vanilla \
enterprise profile generated by a traffic generator. I will look into tuning the Zeek \
analyzers. <span id="" title="Search for suggestions" class=""><span \
id="SmartSuggestionsKeyword834704" title="Search for suggestions" \
class="_1okoJpT9HZqFCFE-Qxz_m9">Thank you for the assist.</span></div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> CB <br>
<br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-weight: normal; orphans: auto; widows: auto"> <blockquote type="cite" \
style="font-family: Helvetica; font-size: 12px; font-weight: normal; orphans: auto; \
widows: auto"> <div>On Mar 18, 2019, at 6:41 AM, william de ping \
<bill.de.ping@gmail.com> wrote:</div> <br>
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Colin</div>
<div><br>
</div>
<div>Have you seen any difference in traffic rate of virtual NICs between \
zbalance_ipc and RSS LB ?</div> <div>Can you send htop when bro workers are running \
?</div> <div>Drops should mean that a worker reaches more than 100% CPU usage, if \
this is the case, I would dive into the world of cpuset.</div> <div>With this \
pseudo directory you can view what other processes are running on a core in addition \
to bro's instance so you could make the core exclusive for bro and the OS will use \
other available cpus for the rest of the processes.</div> <div>I would first resort \
to the difference between RSS and zbalance_ipc prior to making cpus exclusive.</div> \
<div><br> </div>
<div>There are many tweaks in bro, but it really depends on the type of traffic and \
what you do with it. using dump-events script you get a sense of the most active \
events. grep these events and search for the bro scripts that registered them, it \
could very well be the case that no log file will be generated in that script. Such \
scripts could be irrelevant so you can switch off their analyzer (comment loading \
them in init-default.bro)</div> <div><br>
</div>
<div>Let me know how its working out for you</div>
<div>B</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
<div id="appendonsend"></div>
</span>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> C Blair \
<mnmblair@hotmail.com><br> <b>Sent:</b> Sunday, March 17, 2019 6:09 PM<br>
<b>To:</b> bill.de.ping@gmail.com<br>
<b>Subject:</b> Re: [Zeek] zbalance_ipc and Zeek</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<blockquote style="margin:0 0 0 40px; border:none; padding:0px">
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="font-family:Helvetica; font-size:12px; \
font-weight:normal; orphans:auto; widows:auto; \
display:inline!important"></span></div> </blockquote>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Hi Bill,</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="color:rgb(0,0,0); \
font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br> </span></div>
<div style=""><font color="#000000" face="Calibri, Helvetica, sans-serif"><span \
style="font-size:12pt">The server is a single socket. </span></font><span \
style="background-color:rgb(255,255,255); display:inline!important"><font \
color="#000000" face="Calibri, Helvetica, sans-serif"><span \
style="font-size:12pt">Attached is my lstopo output. I have run zbalance_ipc with \
the -p option. This sends the packet per queue data to stdout and you can view what \
is happening in real time. The queues receive with zero drops and then Zeek drops \
packets equally. I have pinned zbalance_ipc to logical core 15 and the Bro workers \
are pinned to 1-10 logical cores. I have reserved core 0 for packet time stamping. I \
let CentOS schedule the remaining logical cores. I have not tried turning off \
Hyper-threading. Can you </span>recommend<span style="font-size:12pt"> core \
affinity for my given hw?</span></font></span><br> </div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="color:rgb(0,0,0); \
font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span \
style="font-family:Calibri,Helvetica,sans-serif; background-color:rgb(255,255,255); \
display:inline!important"><br> </span></span></div>
<div style=""><span style="background-color:rgb(255,255,255); \
display:inline!important"><font color="#000000" face="Calibri, Helvetica, \
sans-serif"><span style="font-size:12pt">Are there certain analyzers you \
</span>recommend<span style="font-size:12pt"> </span>turning<span \
style="font-size:12pt"> off and how do I accomplish \
that?</span></font></span></div> <div \
style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> \
<span style="color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif; \
font-size:12pt"><span style="font-family:Calibri,Helvetica,sans-serif; \
background-color:rgb(255,255,255); display:inline!important"><br> \
</span></span></div> <div style="font-family:Calibri,Helvetica,sans-serif; \
font-size:12pt; color:rgb(0,0,0)"> Thanks again,</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> CB</div>
<blockquote type="cite" style="font-family:Helvetica; font-weight:normal; \
orphans:auto; widows:auto"> <div>On Mar 17, 2019, at 1:38 PM, william de ping \
<bill.de.ping@gmail.com> wrote:</div> <br>
<div><span style="display:inline!important">Hi,</span>
<div style=""><br>
</div>
<div style="">I would check the followings :</div>
<div style=""><br>
</div>
<div style="">
<ul>
<li>Numa node configuration - This server should have 2 CPU sockets, if you pinned \
zbalance_ipc to a numa node which is not directly connected to the PCI bus hosting \
the NIC all traffic will go through the QPI and that could explain why it will be \
slower. I would check that the zbalance_ipc app is pinned to the CPU socket that is \
closer to the PCI NIC to avoid this</li><li>Check line rate on each virtual interface \
using PF_RING/userland/examples/pfcount. check on : zc:99@[0,1,...,9] after using \
zbalance_ipc and without zbalance_ipc using the RSS. This should give you a clue if \
there is a specific worker instance that is receiving significantly more traffic \
than others (RSS and zbalance_ipc LB might differ). It really depends on the type of \
traffic, but I assume that on a 2.3Ghz processor, a single bro worker can process \
anything between 150-400mbps. <br> </li><li>Run a single instance of bro with \
local configuration and dump-events.bro script (you can redef include_args=F to \
get only events name without parameters). Output, sort, uniq -c it to get a clue on \
what event occur more often. Some analyzers might be turned off to save CPU \
cycles.</li></ul> <div>Let me know if it helps</div>
</div>
<div style="">B</div>
</div>
</blockquote>
<br>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div id="x_appendonsend"></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" \
style="font-size:11pt"><b>From:</b> C Blair<br> <b>Sent:</b> Sunday, March 17, 2019 \
8:34 AM<br> <b>To:</b> bill.de.ping@gmail.com<br>
<b>Cc:</b> zeek@zeek.org<br>
<b>Subject:</b> Re: [Zeek] zbalance_ipc and Zeek</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <div style="margin:0px; font-size:12pt; \
font-family:Calibri,Helvetica,sans-serif"> <span style="margin:0px">Hi \
Bill,</span></div> <div style="margin:0px; font-size:12pt; \
font-family:Calibri,Helvetica,sans-serif"> <span style="margin:0px">Thank \
you for the assist. <span style="margin:0px; \
font-family:Calibri,Helvetica,sans-serif; background-color:rgb(255,255,255)"><span \
style="margin:0px; background-color:rgb(255,255,255); display:inline!important"><span \
style="margin:0px">Currently, Zeek</span></span></span><span \
style="font-family:Calibri,Helvetica,sans-serif; background-color:rgb(255,255,255); \
display:inline!important"> </span><span \
style="font-family:Calibri,Helvetica,sans-serif; background-color:rgb(255,255,255); \
display:inline!important">cannot reliably capture more than 300Mbps with this \
configuration. When I remove zbalance_ipc and use RSS with num_rss_queues=lb_procs \
Zeek can capture up to 2Gbps. I need to use zbalance_ipc because I use a single \
capture interface with multiple consuming applications, i.e. Zeek and Snort. It \
seems obvious that a software load balancer will perform less than hardware, however, \
I don't see the same significant performance drop with other consuming applications \
like Snort.</span></span></div> <div style="margin:0px; font-size:12pt; \
font-family:Calibri,Helvetica,sans-serif"> <span style="margin:0px"><br>
</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif">
<span style="margin:0px">Ingress Line speed:</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif">
<span style="margin:0px">I am using a traffic generator so I can regulate up to \
10Gbps. <span style="margin:0px; background-color:rgb(255,255,255); \
display:inline!important"><span style="margin:0px"> </span></span></span></div> \
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif"> \
<span style="margin:0px"><br> </span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif">
<span style="margin:0px">ZEEK node.cfg</span></div>
<blockquote style="color:rgb(51,51,51); margin:0px 0px 0px 40px; border:none">
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">[manager]</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">type=manager</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">host=localhost</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px"><br>
</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">[logger]</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">type=logger</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">host=localhost</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px"><br>
</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">[proxy-1]</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">type=proxy</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">host=localhost</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px"><br>
</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> [worker-1]</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> type=worker</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> host=localhost</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> interface=zc:99</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> lb_method=pf_ring</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> lb_procs=10</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px">pin_cpus=1,2,3,4,5,6,7,8,9,10</div>
</div>
</blockquote>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif">
<div style="margin:0px"><br>
</div>
</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif">
<span style="margin:0px">ZBALANCE_IPC run config</span></div>
<blockquote style="color:rgb(51,51,51); margin:0px 0px 0px 40px; border:none">
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px">zbalance_ipc -i zc:eth0 -c 99 -n 10 -m 4 \
-g 15 -S 0</span></div> </blockquote>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif">
<span style="margin:0px"><br>
</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif">
<span style="margin:0px">PFRING-ZC INFO</span></div>
<blockquote style="color:rgb(51,51,51); margin:0px 0px 0px 40px; border:none">
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px; font-size:11pt">PF_RING Version \
: 7.5.0 (unknown)</span></div> <div style="margin:0px; font-size:12pt; \
font-family:Calibri,Helvetica,sans-serif; color:rgb(0,0,0)"> <div \
style="margin:0px"><span style="margin:0px; font-size:11pt">Total rings \
: 22</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Standard (non ZC) Options</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Ring slots : 65536</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Slot version : 17</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Capture TX : No [RX only]</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">IP Defragment : No</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Socket Mode : Standard</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Cluster Fragment Queue : 0</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Cluster Fragment Discard : 0</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Name : ethØ</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Index : 40</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Address : XX:XX:XX:XX:XX:XX</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Polling Mode : NAPI/ZC</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Type : Ethernet</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Family : ixgbe</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">TX Queues : 1</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">RX Queues : 1</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <div style="margin:0px"><span style="margin:0px; \
font-size:11pt">Num RX Slots : 32768</span></div> </div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px; font-size:11pt; \
font-family:Calibri,Helvetica,sans-serif">Num TX Slots : \
32768</span></div> </blockquote>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px; font-size:11pt"><br>
</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Helvetica,sans-serif; \
color:rgb(0,0,0)"> <span style="margin:0px; font-size:11pt"><span \
style="font-family:Calibri,Helvetica,sans-serif; font-size:11pt; font-weight:normal; \
display:inline!important">System Specs:</span><br style="font-family:Helvetica; \
font-size:12px; font-weight:normal; orphans:auto; widows:auto"> <span \
style="font-family:Calibri,Helvetica,sans-serif; font-size:11pt; font-weight:normal; \
display:inline!important">Xeon D-1587 16 cores, 32 logical, 1.7 Ghz, 2.3 Ghz turbo, \
20M Cache</span><br style="font-family:Helvetica; font-size:12px; font-weight:normal; \
orphans:auto; widows:auto"> <span style="font-family:Calibri,Helvetica,sans-serif; \
font-size:11pt; font-weight:normal; display:inline!important">128GB DDR4 \
2133Mhz</span><br style="font-family:Helvetica; font-size:12px; font-weight:normal; \
orphans:auto; widows:auto"> <span style="font-family:Calibri,Helvetica,sans-serif; \
font-size:11pt; font-weight:normal; display:inline!important">8TB SSD</span><br \
style="font-family:Helvetica; font-size:12px; font-weight:normal; orphans:auto; \
widows:auto"> <span style="font-family:Calibri,Helvetica,sans-serif; font-size:11pt; \
font-weight:normal; display:inline!important">Intel 10GBase-T X557 \
ixgbe</span></span></div> </div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> </div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <blockquote type="cite" style="font-family:Helvetica; \
font-size:12px; font-weight:normal; orphans:auto; widows:auto"> <div>On Mar 17, 2019, \
at 9:08 AM, william de ping <bill.de.ping@gmail.com> wrote:</div> <br>
<div>
<div dir="ltr">Hi Colin,
<div><br>
</div>
<div>Can you please clarify your deployment ? (node.cfg file, NIC type, PF_RING \
version, zbalance_ipc parameters and the ingress line rate )</div> <div><br>
</div>
<div>Thanks</div>
<div>B</div>
</div>
<br>
<div>
<div dir="ltr">On Fri, Mar 15, 2019 at 12:38 AM COLIN BLAIR <<a \
href="mailto:mnmblair@hotmail.com">mnmblair@hotmail.com</a>> wrote:<br> </div>
<blockquote style="margin:0px 0px 0px 0.8ex; border-left-width:1px; \
border-left-style:solid; border-left-color:rgb(204,204,204); padding-left:1ex"> <div \
dir="ltr"> <div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Hi \
All,</div> <div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Does anyone \
have a success story using zbalance_ipc and Zeek. We are getting very high packet \
loss using zbalance_ipc. When we remove zbalance_ipc, Zeek performs well on pf_ring \
zero copy with RSS. Any advice is appreciated.</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">R,</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt">CB</div>
</div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek" rel="noreferrer" \
target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote>
</div>
</div>
</blockquote>
<br>
<br>
</div>
</div>
</div>
</body>
</html>
_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--===============0059541022==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic