[Oisf-devel] Running suricata in valgrind (callgrind)

Pierre Chifflier chifflier at edenwall.com
Tue Apr 13 20:16:37 UTC 2010


I was wondering why starting Suricata takes so much time (especially in
valgrind) so I decided to run suricata in callgrind.

This took some time but the results are very interesting !

Git from today (ead13bda4aa7a94e265cd632db809fb0a44837cf)
70 rule files processed. 3077 rules succesfully loaded, 38 rules failed

Most (98.21%) of the startup time is spent in SigLoadSignatures. Opening
the trace (not attached to this mail, but I can send it if you want) in
kcachegrind shows 37 millions of calls to DetectAddressCmpIPv4 !

Looking at the code, it seems that signatures are stored in an ordered
linked list (in stage 3) ... This is clearly inefficient and can lead to
exponential insert time
Is there a reason for this ? If no, maybe this could be changed to a
better structure, for ex. a btree, a red-black tree or whatever ?

Attached is an export of the call graph.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: callgrind.out.21488.png
Type: image/png
Size: 145040 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100413/01cceefe/attachment.png>

More information about the Oisf-devel mailing list