RH442-11 网络调优之二

 一、网络传输碎片（fragmentation）

1.   查看网络碎片的summary，netstat –s

[root@station2 ~]# netstat -s

Ip:

    65837 total packets received

    2707 with invalid addresses

    0 forwarded

    0 incoming packets discarded

    49662 incoming packets delivered

    38977 requests sent out

Icmp:

    4024 ICMP messages received

    0 input ICMP message failed.

    ICMP input histogram:

        destination unreachable: 4018

        echo requests: 6

    4022 ICMP messages sent

    0 ICMP messages failed

    ICMP output histogram:

        destination unreachable: 4016

        echo replies: 6

IcmpMsg:

        InType3: 4018

        InType8: 6

        OutType0: 6

        OutType3: 4016

Tcp:

    878 active connections openings

    674 passive connection openings

    120 failed connection attempts

    1 connection resets received

    1 connections established

    34722 segments received

    28212 segments send out

    15 segments retransmited

    0 bad segments received.

    213 resets sent

Udp:

    2712 packets received

    4016 packets to unknown port received.

    0 packet receive errors

    6728 packets sent

TcpExt:

    671 TCP sockets finished time wait in fast timer

    1603 delayed acks sent

    Quick ack mode was activated 1 times

    17071 packets header predicted

    3252 acknowledgments not containing data received

    4603 predicted acknowledgments

    9 congestion windows recovered after partial ack

    0 TCP data loss events

    6 retransmits in slow start

    9 other TCP timeouts

    12 DSACKs sent for old packets

    9 DSACKs received

    29 connections reset due to unexpected data

IpExt:

    InMcastPkts: 1

InBcastPkts: 4187

2.   查看网络中由于传输失效，重组失败的数据包

[root@station2 ~]# cat /proc/net/snmp | grep '^Ip:' | cut -f17 -d ' '

ReasmFails

0

#如果重组的数量很多，则说明网络存在问题，需要调整buffer，说明buffer size 太小了。

3.   出现碎片的原因

l  DDos攻击。

l  NFS协议产生。

l  网络有干扰，过于嘈杂。

l  网络有缺陷。

4.   调整碎片的buffer

#红色线为警告线，绿色线为安全线。

[root@station2 ~]# sysctl -a|grep ipfrag       

net.ipv4.ipfrag_max_dist = 64

net.ipv4.ipfrag_secret_interval = 600

net.ipv4.ipfrag_time = 30   

#该参数表示数据碎片在内存中存在的时间，30s后仍然未重组发送则放弃数据，s（秒）

net.ipv4.ipfrag_low_thresh = 196608 

#该参数表示碎片数据达到参数值时开始重组,并尝试发送，byte

net.ipv4.ipfrag_high_thresh = 262144

#该参数表示碎片数据达到参数值时放弃数据，byte

 

二、网络中断处理

1.   每一次网卡响应（每一个数据包），NIC都会向CPU申请硬中断，同时也会申请软中断，用于将数据接受到队列中。

2.   中断处理总是会抢占进程队列，也就是中断的优先级高于进程队列。如果用于数据传输的队列满了，则数据将会被丢弃。如果接受的数据包慢了，则数据也会被丢弃。需要防止出现这种高负载。

l  查看硬中断 /proc/interrupts

[root@station9 ~]# cat /proc/interrupts

           CPU0       CPU1       CPU2       CPU3      

  0:  284392205      21995      22047      22071    IO-APIC-edge  timer

  1:          1          0          1          1    IO-APIC-edge  i8042

  8:          1          2          0          0    IO-APIC-edge  rtc

  9:          0          0          0          0   IO-APIC-level  acpi

 12:          2          1          1          0    IO-APIC-edge  i8042

 74:          0          0          0          0   IO-APIC-level  uhci_hcd:usb4

 82:        131        134     421406     421390   IO-APIC-level  ehci_hcd:usb1, uhci_hcd:usb2

 90:         11         21         22          8   IO-APIC-level  uhci_hcd:usb3

 98:          0          0          0          0   IO-APIC-level  ahci

162:         21          0          0     282046         PCI-MSI  eth0

177:       1426       1492      47987      45870   IO-APIC-level  ioc0

NMI:          0          0          0          0

LOC:  284430478  284430487  284430483  284430491

ERR:          0

l  查看进程的软中断

[root@station9 ~]# ps axo pid,comm,util |grep softirq

    3 ksoftirqd/0      0

    6 ksoftirqd/1      0

    9 ksoftirqd/2      0

   12 ksoftirqd/3      0

3.   提升中断的处理能力

l  在一个中断中处理多个事物。

l  给每个事物分配一个固定的CPU时间片。

4.   调中断请求

lmodinfo -p e1000

[root@station9 ~]# modinfo -p e1000

debug:Debug level (0=none,...,16=all)

copybreak:Maximum size of packet that is copied to a new buffer on receive

KumeranLockLoss:Enable Kumeran lock loss workaround

SmartPowerDownEnable:Enable PHY smart power down

InterruptThrottleRate:Interrupt Throttling Rate

RxAbsIntDelay:Receive Absolute Interrupt Delay

RxIntDelay:Receive Interrupt Delay

TxAbsIntDelay:Transmit Absolute Interrupt Delay

TxIntDelay:Transmit Interrupt Delay

XsumRX:Disable or enable Receive Checksum offload

FlowControl:Flow Control setting

AutoNeg:Advertised auto-negotiation setting

Duplex:Duplex setting

Speed:Speed setting

RxDescriptors:Number of receive descriptors

TxDescPower:Binary exponential size (2^X) of each transmit descriptor

TxDescriptors:Number of transmit descripto

 

lupdate /etc/modprobe.conf

[root@station9 ~]# vim /etc/modprobe.conf

alias eth0 e1000e

alias eth1 e1000e

alias eth2 e1000e

alias eth3 e1000e

options e1000e InterruptThrottleRate=1,3000

#每秒能够处理3000个数据请求，该数值越大则消耗的buffer就越大。

0：关闭（有0、1、3共三个值可取）

1：则表示系统根据流量自动判断

3：保守的处理，系统自动调节

 

三、网络连接

1.   调整TCP三次握手建立之前的设置

net.ipv4.tcp_syn_retries = 5  

#尝试5次连接。

net.ipv4.tcp_max_syn_backlog = 1024 

#最多能存放1024条连接，每个连接最多尝试5次。

net.ipv4.tcp_tw_recycle = 0

#该参数设置成0 的时候表示不开状态不允许重试，1为允许。

 

2.   调整TCP三次握手建立之后的设置

net.ipv4.tcp_keepalive_time = 7200

#存活的定时器，默认为7200秒，代表若已经建立起来的连接在7200秒（2小时）内，没有做任何操作，则该连接自动中断。

net.ipv4.tcp_keepalive_intvl = 75

#内核侦测的时间间隔。

net.ipv4.tcp_keepalive_probes = 9

#内核侦测的次数。

本文转自netsword 51CTO博客，原文链接:http://blog.51cto.com/netsword/658290