[Oisf-users] autofp vs workers - updated comparison?

Peter Manev petermanev at gmail.com
Tue Jul 21 07:57:47 UTC 2015 

On Mon, Jul 20, 2015 at 7:36 PM, Eric Leblond <eric at regit.org> wrote:
> Hi,
>
> Le 20 juil. 2015 5:53 PM, "Rasmor, Zachary R" <zachary.r.rasmor at lmco.com> a écrit :
>>
>> Hello,
>>
>>
>>
>> I was hoping for some updated insight regarding the comparison between the autofp and workers runmodes. I saw some of discussion on this thread comparing the two from 2-3 years ago, but I think a lot has changed since then. I’ve also noticed posts expressing performance concerns with autofp because of contention due to locking, but I’m not sure how up-to-date those are, either.
>>
>>

Workers is definitely better on regular commodity HW from my
experience. If you are doing customizations to the code and using some
special appliances/NIC  this may not be the case anymore.

>>
>> The conventional wisdom from users on this thread, as well as from the Suricata training I attended in Virgina this year, seem to suggest that ‘workers’ is the preferred runmode. However, my testing has shown various circumstances where I’m dropping packets in workers mode due to 1 or 2 (out of 16) threads pegged at ~99-100% CPU. Also, any costly Lua add-ons raise the likelihood of holding up the pipeline and dropping packets in workers mode. The load balancing aspects of autofp make it a more appealing and logical option, in my mind.
>

I have experienced that myself - can be challenging to
manage/adjust/tune indeed. However Eric's patch (as explained below)
indeed shows a serious improvement in that area (in my tests anyway on
live traffic). The PR itself -
https://github.com/inliniac/suricata/pull/1592

> Yes but this is without considering the great work by some guys at Google ;) They have implemented an option in af_packet called rollover that send the packet to another socket in case of contention. I've proposed a PR implementing that mode in Suricata. It has shown some dramatic improvement regarding packet loss in workers mode. I hope Victor will merge that soon and that it will be available in next beta.
>
> Side note: lua is not that slow compare to some regular expressions.
>
>>
>> I’d appreciate any up-to-date insight anyone has. I’ve noticed some of the autofp related optimizations in 2.1beta4, but I’d like to better understand how much autofp has evolved in the past couple years.
>
> Recent feedback I've got seem to show workers mode is still better.
>
> BR,
> --
> Eric
>
>>
>>
>> Thanks,
>>
>> Zach
>>
>>
>>
>> ________________________
>>
>> Zach Rasmor
>>
>> Senior Software Engineer
>>
>> Lockheed Martin CIRT
>>
>> 700 N Frederick Ave | Gaithersburg, MD 20879
>>
>> Email: zachary.r.rasmor at lmco.com
>>
>> Office: 301.240.6116
>>
>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list