[Oisf-users] afpacket perfromance
Theodore Elhourani
telhoura at email.arizona.edu
Thu Aug 22 04:38:36 UTC 2013
I am running suricata on 4 cores with 8GB RAM.
When I start the engine with this:
suricata --af-packet=eth3 -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -D
(I)
Without specifying the interface (eth3) in the at-packet section of the config file, I get a single RxAFP thread. CPU utilization for all 4 cores remains below 60%.
(II)
Once I set eth3 in the afpacket section:
# af-packet support
# Set threads to > 1 to use PACKET_FANOUT support
af-packet:
- interface: eth3 ## none
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 1
I notice that one of the cores is always above 90% utilization with mainly kernel threads causing this utilization.
(III)
If repeat this latter test with "threads: 4" in the af-packet section, I get a high utilization on all 4 cores (>90%) and mainly occupied by kernel threads.
The traffic loads are identical in all tests, and runmode is autofp. Can someone please explain this behavior ?
Thanks
More information about the Oisf-users
mailing list