8.16. Procedure to optimize performances

A - Introduction

Performance optimization can be achieved in the following ways:

  • Subject 1: adapting the GCap to the network characteristics

    • Inconsistency between the MTU defined on the GCap and that of the captured frames.
      To modify the MTU, see D - Procedure to adjust the captured packet size.
    • Check that the characteristics of the GCap, such as maximum throughput, number of sessions, etc., match those of the network to be monitored.
      For this purpose, consult the GCap data-sheets.

  • Subject 2: optimizing GCap resources

    • The number of CPUs allocated to the detection engine is too low.
      The CPUs may be overloaded and potentially packets may go unanalysed and therefore dropped.
    • Prefer using a TAP aggregator as opposed to the GCap "cluster" function.
      The solution with an aggregator TAP is preferable because it is the one that requires the least resources of the identical flow GCap.

  • Subject 3: optimizing the network flow to be analyzed

    • One or more CPUs are being overloaded because there are too many packets being analyzed.

      • To reduce the size of the captured network, it is possible to suppress the unnecessarily analyzed flow.

      • To manage this packet filtering, see the procedure for defining flow filtering rules.

    • Only one CPU is being overloaded.
      In this case, the flow load is poorly distributed between the CPUs.
      • To change this, it is possible to define a rule or more certainly modify an existing rule.
        A flow was defined but it was too large. It must therefore be subdivided so that each part is analyzed by several CPUs.

      • To modify the rules, see the procedure for defining static packet filtering rules.

    • Change the analyzed protocols.

      • To modify this list, this action must be performed on the paired GCenter.
        Refer to the GCenter documentation.

  • Subject 4: optimizing the detection engine rules

    The rules define:

    • Detection rules

    • File rebuilding rules

    • Rules defining thresholds or limits under the threshold heading
      Refer to the GCenter documentation for more information.

  • Subject 5: monitoring the solution

    A monitoring service known as Netdata, embedded in the GCenter, enables real time information to be collected on the status of CPUs, load, disks, detection engines, and filtering.
    This feature is available at https://Nom_du_GCenter/gstats.
    On the GCap, Netdata enables more information on protocol counters, number of sessions, flows, and hash table status from 'Stats.log'.

B - Prerequisites

  • User: setup

  • Commands used in this procedure:

C - Preliminary operations

  1. Connect to the GCap (refer to Procedure to remote connection to GCap via an SSH tunnel)

  2. Stop the Sigflow detection engine (refer to monitoring-engine).

D - Procedure to adjust the captured packet size

This setting enables adjusting the size of the captured packet to match the size of those packets circulating on the network.

Danger

XDP Filtering features is not supported if the MTU > 3000.

  1. Use the show interfaces command to display the MTU value in bytes of all enabled network interfaces.

  2. Use the set advanced-configuration mtu command to change the MTU of a network interface.

E - Procedure to define flow filtering rules

Tip

The CPU(s) present is overloaded and part of the flow cannot be analyzed, a number of packets is dropped:

  • To view the number of dropped packets per CPU core, use the `show health` command, details of softnet counters - Statistics on received packets based on processor cores.
    Part of the captured flow cannot be detected, nor reconstructed: for example, encrypted flows.
If nothing is done, the system will monopolize resources to achieve a result known in advance.
To avoid this, it is possible to create rules to filter the flow to be captured.

  1. Use the show advanced-configuration packet-filtering command to display static packet filter rules.