Yes, that's ATR with OS scheduler reordering frames, I believe. There's even a paper about that. It actually has to reorder packets now that I think about that.
Disable ATR, all offloading, set symmetric hashing and pin interrupts and IDS workers. Should work - my quick tests with the Bro IDS which logs flags as they come, were successful. I'm not sure you'll get a lot of performance improvements - with the constant switching between the userspace and a kernel space. TLB trashing (albeit tagged now), partial cache flush. Worth testing. One thing we'd like to ask Intel for is the ability to set symmetric hash on the X710 which by all means is the future of the IDS and has a good chance of becoming a gold standard. There was a path sent by a Suricata developer Victor Julien a while ago. Can go get back to that discussion? > On 17 Nov 2016, at 01:22, Cooper F. Nelson <cnel...@ucsd.edu> wrote: > > Hi Don, > > Thank you for the prompt reply. I can't see how ATR would work in a > span/monitor case as we are only using RSS to capture/hash the flows. > No TSS involved. > > I read the 'random secret key' paper and they left out the details how > to actually set the key. Can you point me to any docs that show how to > set the hash key on a current ixgbe driver? This is the one I'm running > on our kernel: > >> [182398.649391] ixgbe: Intel(R) 10 Gigabit PCI Express Network Driver - >> version 4.4.0-k > > -Coop > >> On 11/16/2016 3:59 PM, Skidmore, Donald C wrote: >> Hey Cooper, >> >> Well RSS is a HW offload so I'm not sure how much can be done to >> "fix" this issue. That said with more resent drivers versions you >> can modify the RSS hash key and maybe try out the special "Random >> Secret Key" mentioned in the Suricata documentation. Likewise ATR >> may behave better for this setup as it attempt to localize traffic to >> the CPU the transmit was done on and since the queues are mapped >> 1-to-1 with the CPU's both sides of the should end up on the same >> queue assuming they are processed by the same thread. Might be worth >> trying? >> >> Thanks, -Don Skidmore <donald.c.skidm...@intel.com> >> >>> -----Original Message----- From: Cooper F. Nelson >>> [mailto:cnel...@ucsd.edu] Sent: Wednesday, November 16, 2016 3:30 >>> PM To: e1000-de...@lists.sf.net Subject: [E1000-devel] Symmetric >>> hashing for ixgbe driver? >>> >>> See subject. The lack of symmetric flow hashing in RSS >>> implementations is impacting the accuracy of IDS sensors >>> (particularly those using bro and suricata). Is there a roadmap >>> for fixing this issue? >>> >>> More details at the link below: >>> >>>> http://suricata.readthedocs.io/en/latest/performance/packet-capture.ht >>>> >>>> > ml >>> >>> -- Cooper Nelson Network Security Analyst UCSD ITS Security Team >>> cnel...@ucsd.edu x41042 >> > > > -- > Cooper Nelson > Network Security Analyst > UCSD ITS Security Team > cnel...@ucsd.edu x41042 > > ------------------------------------------------------------------------------ > _______________________________________________ > E1000-devel mailing list > E1000-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/e1000-devel > To learn more about Intel® Ethernet, visit > http://communities.intel.com/community/wired ------------------------------------------------------------------------------ _______________________________________________ E1000-devel mailing list E1000-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
