[Oisf-devel] Better PF_RING performance with workers run-mode now instead of autofp
Martin Holste
mcholste at gmail.com
Wed Jan 11 18:21:59 UTC 2012
Thanks for the info Chris--our workload is very similar to yours, so
it's good to have that confirmation.
Update: ac/autofp is better than ac/auto, with something like 20%
drop, and 800% CPU compared with about 500% using workers. So, I
think I'm going back to ac-gfbs/workers unless anyone else has a tweak
to suggest.
My hunch is that ac/auto performs poorly because only one thread is
assigned to do the stream and decode, which at high volumes is intense
and too much for a single thread to handle, especially now that server
responses have the HTTP buffers added.
On Wed, Jan 11, 2012 at 11:59 AM, Chris Wakelin
<c.d.wakelin at reading.ac.uk> wrote:
> I've been running ac/full with workers for weeks (~4000 rules, 6
> threads, 40-80kpps on a port-mirrored 1Gb link; I haven't been given my
> 10Gb mirror back yet), which seems to work OK; the startup time is quite
> long, and we do drop some packets (according to PF_RING's own stats in
> /proc/net/pf_ring/*-<dev>.*) from time to time.
>
> Best Wishes,
> Chris
>
> On 11/01/12 17:49, Martin Holste wrote:
>> Update: ac with auto has even worse performance. Seeing 70-80% loss.
>>
>> On Wed, Jan 11, 2012 at 11:30 AM, Martin Holste <mcholste at gmail.com> wrote:
>>> Ah, interesting. I've been using ac-gfbs, though I used to use ac.
>>> Since I run "full," the memory footprint is much smaller with gfbs.
>>> We have a ton of RAM, so it's the long startup time that's the biggest
>>> issue with memory utilization. I'll flip over to ac with autofp and
>>> see if we see any difference.
>>>
>>> On Wed, Jan 11, 2012 at 1:23 AM, Victor Julien <victor at inliniac.net> wrote:
>>>> Are you using ac or ac-gfbs? Anoop has been improving both. I think the
>>>> most significant gain would be when using "ac" "single/auto".
>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
More information about the Oisf-devel
mailing list