FlowTraq: Disk Performance Tweaks on Linux
Issue
FlowTraq users sometimes experience disk performance much poorer than they expect on their hardware. We have found several potential causes for this. The first is a way too small of an OS reschedule queue to put multiple 200-byte writes together into the same block update to disk. Increasing 'nr_requests' fixed it reliably. The second cause of poor performance was a large number of long-running sessions.
Solution
Do: echo "16384" > /sys/block/sda/queue/nr_requests
Setting 'timeout' and 'toolong' both to 600 causes FlowTraq to divide long-running sessions into smaller ones, and the system performs smoothly. No more choppy inflow, and AVGTIME down to 300ms.
NOTE: If 'toolong' is set short, queries of the TTIME/Flow Duration type no longer work (one can't look for a 2-hour session if it was chopped up after 10 minutes)
CAUTION: changing ‘timeout’ and ‘toolong’ can reduce the accuracy of the Exfiltration detector.
Setting 'timeout' and 'toolong' both to 600 causes FlowTraq to divide long-running sessions into smaller ones, and the system performs smoothly. No more choppy inflow, and AVGTIME down to 300ms.
NOTE: If 'toolong' is set short, queries of the TTIME/Flow Duration type no longer work (one can't look for a 2-hour session if it was chopped up after 10 minutes)
CAUTION: changing ‘timeout’ and ‘toolong’ can reduce the accuracy of the Exfiltration detector.
Related Bugs
Attachments
Related Files
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case