[Oisf-users] autofp vs workers - updated comparison?
Rasmor, Zachary R
zachary.r.rasmor at lmco.com
Mon Jul 20 15:53:32 UTC 2015
Hello,
I was hoping for some updated insight regarding the comparison between the
autofp and workers runmodes. I saw some of discussion on this thread
comparing the two from 2-3 years ago, but I think a lot has changed since
then. I've also noticed posts expressing performance concerns with autofp
because of contention due to locking, but I'm not sure how up-to-date those
are, either.
The conventional wisdom from users on this thread, as well as from the
Suricata training I attended in Virgina this year, seem to suggest that
'workers' is the preferred runmode. However, my testing has shown various
circumstances where I'm dropping packets in workers mode due to 1 or 2 (out
of 16) threads pegged at ~99-100% CPU. Also, any costly Lua add-ons raise
the likelihood of holding up the pipeline and dropping packets in workers
mode. The load balancing aspects of autofp make it a more appealing and
logical option, in my mind.
I'd appreciate any up-to-date insight anyone has. I've noticed some of the
autofp related optimizations in 2.1beta4, but I'd like to better understand
how much autofp has evolved in the past couple years.
Thanks,
Zach
________________________
Zach Rasmor
Senior Software Engineer
Lockheed Martin CIRT
700 N Frederick Ave | Gaithersburg, MD 20879
Email: <mailto:zachary.r.rasmor at lmco.com> zachary.r.rasmor at lmco.com
Office: 301.240.6116
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150720/51277e60/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 11767 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150720/51277e60/attachment.bin>
More information about the Oisf-users
mailing list