Optimization #2218
Updated by Victor Julien over 6 years ago
Not sure why Suricata choses to disable all NIC offloads by default on Linux, and spews out a nasty/scary warning in the logs: <pre> 29/9/2017 -- 15:00:42 - <Notice> - This is Suricata version 3.2.1 RELEASE 29/9/2017 -- 15:00:45 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on eth0: SG: SET, GRO: SET, LRO: unset, TSO: SET, GSO: SET. Run: ethtool -K eth0 sg off gro off lro off tso off gso off 29/9/2017 -- 15:00:45 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using AF_PACKET with offloading activated leads to capture problems </pre> I can understand why packet capture with various receive offloads like LRO/GRO, or even receive checksum offload, can make life difficult for packet analysis. But on the transmit side, Suricata can trust that the NIC driver will "do the right thing" (TM) for TSO packets, or drop them, if for example the TCP pseudo-header checksum is incorrect or something. From a performance POV, TSO makes a huge difference, both in terms of CPU utilization and throughput. Anecdotally, we've measured CPU/throughput going from 453%/2131Mbps to 110%/9842Mbps (10GbE line rate) just by turning TSO on manually using "ethtook -K tso on" I can propose a patch to leave TSO enabled in AF_PACKET runmode if you agree.