[Oisf-devel] [RFC, PATCH 0/2] lighten Packet structure size

Victor Julien victor at inliniac.net
Mon Nov 15 08:29:48 UTC 2010 

Hi Eric,

Eric Leblond wrote:
> Hi,
> 
> This patchset is a real RFC. Code is not finished (and not enough tested) but
> in its current state it will give you a good idea of my proposal.
> 
> Working on some performance testing, I've found that the max-pending-packets
> can have a great influence on speed of suricata. But increasing this value to
> a high value has shown me an explosion in memory usage. The explanation was
> easy. This value increase the number of preallocated Packet structures and
> the Packet structure contains a char[65535+] field which contains the payload.
> 
> Preallocation is one of the key of speed but in this case, this huge structure
> is dramatically increasing the memory usage of Suricata.
> 
> Considering the fact that most of the packets are smaller than 1500 bytes, it
> appears that this huge array is almost unused and could be resized to 1500 if
> we manage to found a way to treat bigger packet separately.
> 
> This patchset proposes an implementation of this idea. The Packet structure
> has been modified to contains a 1500 bytes array which is dynamically converted
> to allocated array. Some getter and setter functions permit to have a quasi 
> transparency of the modification from a "user" point of view.
> 
> Given the scope of the modification, the patchset (even unfinished) is really
> huge. I thus decide to send an e-mail to the list with this RFC version to check
> if I'm going in a direction oisf fondation will be ready to go.
> 

First of all, I fully agree that we need to address this issue. However,
I'm (yet) not fully convinced yet at this point your solution is ideal.
Even though it's minimal, it does add some runtime complexity. Did you
benchmark this code?

I'm wondering if we can just use a single pointer to heap memory. That
would have a size of DFLT_PAYLOAD_SIZE by default, but would be
realloc'd to whatever size is needed if the packet is bigger than that.
If the next packet would be smaller, we realloc back to
DFLT_PAYLOAD_SIZE. This way we would get rid of the need to check which
payload to use every time we need to access the payload. But we would
also prevent doing some form of memory allocation for each packet.

I'm not sure though, the cost of accessing the heap alloc'd buffer each
time may be bigger than the gain of reduced complexity.

Thoughts?

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list