5.5.16. Optimising performance

5.5.16.1. Introduction

Performance optimisation can be achieved in the following ways:

  • Subject 1: adapting the GCap to the network characteristics

    • Inconsistency between the MTU defined on the GCap and that of the captured frames.
      To modify the MTU see the Procedure for adjusting the size of the captured packet.

    • Check that the characteristics of the GCap, such as maximum throughput, number of sessions, etc., match those of the network to be monitored.
      For this purpose, consult the GCap datasheets.

  • Subject 2: optimising GCap resources

    • The number of CPUs allocated to the detection engine is too low.
      The CPUs may be overloaded and potentially packets may go unanalysed and therefore dropped.

    • Prefer using a TAP aggregator as opposed to the GCap "cluster" function.
      The solution using a TAP aggregator is preferable because it requires the least amount of GCap resources for the same flow.

  • Subject 3: optimising the network flow to be analysed

    • One or more CPUs are being overloaded because there are too many packets being analysed.

      • To reduce the size of the captured network, it is possible to suppress the unnecessarily analysed flow.

      • To manage this packet filtering, see the procedure for defining flow filtering rules.

    • Only one CPU is being overloaded. In this case, the flow load is poorly distributed between the CPUs.

      • To change this, another rule can be defined or, more likely, an existing rule can be modified.
        A flow was defined but it was too large. It must therefore be subdivided so that each part is analysed by several CPUs.

      • To modify the rules, see the procedure for defining static packet filtering rules.

    • Change the analysed protocols.

      • To modify this list, this action must be performed on the paired GCenter.
        See the GCenter documentation for more information.

  • Subject 4: optimising the detection engine rules

    The rules define:

    • Detection rules

    • File rebuilding rules

    • Rules defining thresholds or limits under the threshold heading

    See the GCenter documentation for more information.

  • Subject 5: monitoring the solution

    A monitoring service known as Netdata, embedded in the GCenter, enables real-time information to be collected on the status of CPUs, load, disks, detection engines, and filtering.
    This feature is available at https://Nom_du_GCenter/gstats.
    On the GCap, Netdata enables more information on protocol counters, number of sessions, flows, and hash table status from 'Stats.log'.

5.5.16.2. Prerequisites

5.5.16.3. Preliminary operations

5.5.16.4. Procedure for adjusting the captured packet size

This setting enables adjusting the size of the captured packet to match the size of those packets circulating on the network.

Danger

XDP Filtering features is not supported if the MTU > 3000.

5.5.16.5. Procedure for defining flow filtering rules

Astuce

The CPU(s) present are overloaded and part of the flow cannot be analysed, a number of packets are dropped:

  • To view the number of dropped packets per CPU core, use the show health command, sofnet- Statistics counter details on received packets by CPU core.
    Certain parts of the captured flow cannot be detected or reconstructed: for example, encrypted flows.
  • If nothing is done, the system will monopolise resources to achieve a result known in advance.
    To avoid this, it is possible to create rules to filter the flow to be captured.