Distributing the packet-processing task over multiple CPUs/cores
With the LibPCAP capturing engine, the packet-processing task can use only one CPU core.
To distribute the packet-processing tasks of Packet Sensor over multiple CPU cores, either enable CPU Threads with PF_RING, Netmap or Sniffer10G, or use the following technique:
- Use Intel X520, Intel X540 or any other NIC that has the Intel 82599 chipset.
- Install PF_RING version 6 and use the PF_RING-aware ixgbe driver.
- See the number of RSS queues allocated by the ixgbe driver by executing dmesg, or by listing /var/log/messages or /var/log/syslog. The number of RSS queues should be equal to the number of CPU cores detected by the Linux kernel.
- Define multiple Packet Sensors, each listening to ethX@queue_id or ethX@queue_range. All Packet Sensors defined to listen to a single interface use a single Sensor license.
- Aggregate all Packet Sensors into a single Sensor Cluster to have a unified anomaly detection domain.
Autor
Andrisoft Team
Andrisoft Team
Erstellt am
2014-01-21 18:18:58
2014-01-21 18:18:58
Aktualisiert am
2017-12-10 01:41:57
2017-12-10 01:41:57
Aufrufe
11202
11202