[Oisf-users] afpacket perfromance
Theodore Elhourani
theodore.elhourani at gmail.com
Thu Aug 22 17:01:01 UTC 2013
If I don't specify the interface in the af-packet section, then the engine
seems to utilize a single af-packet by default.
Multiple receive threads will not work well with multiple detect threads in
autofp mode. This seems to be because the data that a detect thread needs
may be residing closer to a different core, hence forcing memory copying.
Doing the same test, with multiple receive and detect threads, in workers
mode has solved the problem.
On Wed, Aug 21, 2013 at 9:38 PM, Theodore Elhourani <
theodore.elhourani at gmail.com> wrote:
> I am running suricata on 4 cores with 8GB RAM.
> When I start the engine with this:
> suricata --af-packet=eth3 -c /etc/suricata/suricata.yaml --pidfile
> /var/run/suricata.pid -D
>
>
> (I)
> Without specifying the interface (eth3) in the at-packet section of the
> config file, I get a single RxAFP thread. CPU utilization for all 4 cores
> remains below 60%.
>
> (II)
> Once I set eth3 in the afpacket section:
> # af-packet support
> # Set threads to > 1 to use PACKET_FANOUT support
> af-packet:
> - interface: eth3 ## none
> # Number of receive threads (>1 will enable experimental flow pinned
> # runmode)
> threads: 1
> I notice that one of the cores is always above 90% utilization with mainly
> kernel threads causing this utilization.
>
> (III)
> If repeat this latter test with "threads: 4" in the af-packet section, I
> get a high utilization on all 4 cores (>90%) and mainly occupied by kernel
> threads.
>
>
>
>
> The traffic loads are identical in all tests, and runmode is autofp. Can
> someone please explain this behavior ?
>
> Thanks
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130822/f231f269/attachment-0002.html>
More information about the Oisf-users
mailing list