[Oisf-users] autofp mode performance - high level
Darren Spruell
phatbuckett at gmail.com
Wed Sep 4 00:06:11 UTC 2013
Had a question about a statement from listserv [1] last month re: autofp
performance:
...it seems autofp only works for <1Gbs traffic.
However autofp was set as the default runmode some time ago which
suggests to me that it must be reasonable/good for most cases compared
to other modes.
Assuming "most cases" aren't generally <1Gbps monitoring, is there any
reason autofp wouldn't be suitable for monitoring higher traffic rates
without problematic loss? Seems to me that it would also depend on
acquisition method (pcap, pfring, afpacket etc.) (and of course many
other variables).
Looking at about a ~5 Gbps traffic flow on a couple of interfaces, 8
cores/32GB RAM/Intel 82599. Wondering if autofp mode is to be avoided to
focus on something like workers mode, etc.
[1]
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2013-August/002954.html
--
DS
More information about the Oisf-users
mailing list