[Oisf-devel] Autofp vs. Worker runmode
Victor Julien
victor at inliniac.net
Sat Mar 16 06:33:23 EDT 2013
On 03/15/2013 06:31 PM, Song liu wrote:
> The online documentation did not mention how to choose between autofp
> and workers runmode.
> The doc does mention the potential bottlenecks of autofp (like
> pickup-queue lock and flow lock).
> So what is the potential bottleneck of workers runmode? The flow lock?
> As far as i understand, different workers only need to share the flow info.
>
> Could you please give a basic idea what kinds of situation is good for
> autofp, or what is good for workers?
> What runmodes are most of suricata users being using now?
The autofp runmode is most useful if the capture method doesn't support
multiple readers, such as the pcap file method. So in this case autofp
will load balance flows over the available cpu's.
This may also be true if the capture method has dumb load balancing, as
suricata does somewhat intelligent load balancing which may result in
better perf.
Workers has the advantage of keeping all pkt processing in one thread
and if cpu affinity is set all processing will stay on a single cpu/core.
In autofp there is some contention on the queues that xfer packets from
the reader thread to the detect threads.
In both cases the threads access global data structures such as flow
table, host table and some others. Lock contention there should be similar.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list