[Oisf-users] Runmode autofp vs auto
elof2 at sentor.se
elof2 at sentor.se
Fri Nov 27 21:13:18 UTC 2015
Hi again!
When I run suricata in "autofp" mode, 'top' shows the total CPU usage
jumping between 40-65%.
When I change it to "auto" mode, 'top' shows a stable CPU usage at 22%.
I'm using a looping tcpreplay to generate the same live data with a
constant packets per second rate in both tests.
Q1)
Should the flow pinning loadbalancing really eat that much more CPU than
the plain "auto" mode?
Q2)
How come the total CPU usage is jumping up and down so much?
'top' shows 55%, 40%, 53%, 71%, 47, 66%, etc.
Shouldn't the extra workload for autofp loadbalancing be pretty constant
and not generate dips and spikes like this?
(in runmode "auto" the total is stable at 22% all the time, with only
minor deviations down to 21% or up to 22.5%)
Q3)
So this test indicates that using "auto" is better than "autofp" in
my FreeBSD setup. The suricata default however, is "autofp", and most
documentation points to using it. This makes me wonder:
Are there any drawbacks from using "auto" instead of the default "autofp"?
I understand that it is possible, if you're unlucky, that the traffic is
hashed in such a way that some threads can get much more traffic than the
others. But are there any drawbacks apart from that?
Q4)
Speaking of the hash in runmode "auto"... What is actually hashed? A
full 5-tuple of proto+srcip+srcprt+dstip+dstprt?
/Elof
More information about the Oisf-users
mailing list