[Oisf-users] autofp mode performance - high level
Peter Manev
petermanev at gmail.com
Wed Sep 4 07:09:27 UTC 2013
On Wed, Sep 4, 2013 at 2:06 AM, Darren Spruell <phatbuckett at gmail.com> wrote:
> Had a question about a statement from listserv [1] last month re: autofp
> performance:
>
> ...it seems autofp only works for <1Gbs traffic.
>
> However autofp was set as the default runmode some time ago which
> suggests to me that it must be reasonable/good for most cases compared
> to other modes.
>
> Assuming "most cases" aren't generally <1Gbps monitoring, is there any
> reason autofp wouldn't be suitable for monitoring higher traffic rates
> without problematic loss? Seems to me that it would also depend on
> acquisition method (pcap, pfring, afpacket etc.) (and of course many
> other variables).
>
> Looking at about a ~5 Gbps traffic flow on a couple of interfaces, 8
> cores/32GB RAM/Intel 82599. Wondering if autofp mode is to be avoided to
> focus on something like workers mode, etc.
Please let us know how it goes with this set up and traffic.
>
> [1]
> https://lists.openinfosecfoundation.org/pipermail/oisf-users/2013-August/002954.html
>
> --
> DS
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
More information about the Oisf-users
mailing list