[Oisf-users] autofp vs workers - updated comparison?
Eric Leblond
eric at regit.org
Mon Jul 20 16:36:21 UTC 2015
Hi,
Le 20 juil. 2015 5:53 PM, "Rasmor, Zachary R" <zachary.r.rasmor at lmco.com> a écrit :
>
> Hello,
>
>
>
> I was hoping for some updated insight regarding the comparison between the autofp and workers runmodes. I saw some of discussion on this thread comparing the two from 2-3 years ago, but I think a lot has changed since then. I’ve also noticed posts expressing performance concerns with autofp because of contention due to locking, but I’m not sure how up-to-date those are, either.
>
>
>
> The conventional wisdom from users on this thread, as well as from the Suricata training I attended in Virgina this year, seem to suggest that ‘workers’ is the preferred runmode. However, my testing has shown various circumstances where I’m dropping packets in workers mode due to 1 or 2 (out of 16) threads pegged at ~99-100% CPU. Also, any costly Lua add-ons raise the likelihood of holding up the pipeline and dropping packets in workers mode. The load balancing aspects of autofp make it a more appealing and logical option, in my mind.
Yes but this is without considering the great work by some guys at Google ;) They have implemented an option in af_packet called rollover that send the packet to another socket in case of contention. I've proposed a PR implementing that mode in Suricata. It has shown some dramatic improvement regarding packet loss in workers mode. I hope Victor will merge that soon and that it will be available in next beta.
Side note: lua is not that slow compare to some regular expressions.
>
> I’d appreciate any up-to-date insight anyone has. I’ve noticed some of the autofp related optimizations in 2.1beta4, but I’d like to better understand how much autofp has evolved in the past couple years.
Recent feedback I've got seem to show workers mode is still better.
BR,
--
Eric
>
>
> Thanks,
>
> Zach
>
>
>
> ________________________
>
> Zach Rasmor
>
> Senior Software Engineer
>
> Lockheed Martin CIRT
>
> 700 N Frederick Ave | Gaithersburg, MD 20879
>
> Email: zachary.r.rasmor at lmco.com
>
> Office: 301.240.6116
>
>
More information about the Oisf-users
mailing list