Distributing the packet-processing task over multiple CPUs/cores

With the LibPCAP capturing engine, the packet-processing task can use only one CPU core.

To distribute the packet-processing tasks of Packet Sensor over multiple CPU cores, either enable CPU Threads with PF_RING, Netmap or Sniffer10G, or use the following technique:
  1. Use Intel X520, Intel X540 or any other NIC that has the Intel 82599 chipset.
  2. Install PF_RING version 6 and use the PF_RING-aware ixgbe driver.
  3. See the number of RSS queues allocated by the ixgbe driver by executing dmesg, or by listing /var/log/messages or /var/log/syslog. The number of RSS queues should be equal to the number of CPU cores detected by the Linux kernel.
  4. Define multiple Packet Sensors, each listening to ethX@queue_id or ethX@queue_range. All Packet Sensors defined to listen to a single interface use a single Sensor license.
  5. Aggregate all Packet Sensors into a single Sensor Cluster to have a unified anomaly detection domain.
Example: on a quad-core CPU with multithreading, the ixgbe driver allocates 8 RSS queues. In this case, you can have a Packet Sensor listening to ethX@0-3 and another one listening to ethX@4-7. The packet-processing task will be distributed over 2 CPU cores.

Andrisoft Team
Date Created
2014-01-21 18:18:58
Date Updated
2017-12-10 01:41:57