[Oisf-users] Runmode autofp vs auto

Victor Julien lists at inliniac.net
Mon Nov 30 14:26:26 UTC 2015

On 27-11-15 22:13, elof2 at sentor.se wrote:
> Hi again!
> When I run suricata in "autofp" mode, 'top' shows the total CPU usage
> jumping between 40-65%.
> When I change it to "auto" mode, 'top' shows a stable CPU usage at 22%.
> I'm using a looping tcpreplay to generate the same live data with a
> constant packets per second rate in both tests.
> Q1)
> Should the flow pinning loadbalancing really eat that much more CPU than
> the plain "auto" mode?
> Q2)
> How come the total CPU usage is jumping up and down so much?
> 'top' shows 55%, 40%, 53%, 71%, 47, 66%, etc.
> Shouldn't the extra workload for autofp loadbalancing be pretty constant
> and not generate dips and spikes like this?
> (in runmode "auto" the total is stable at 22% all the time, with only
> minor deviations down to 21% or up to 22.5%)

Hard to say anything about those perf numbers w/o profiling.

> Q3)
> So this test indicates that using "auto" is better than "autofp" in my
> FreeBSD setup. The suricata default however, is "autofp", and most
> documentation points to using it. This makes me wonder:
> Are there any drawbacks from using "auto" instead of the default "autofp"?
> I understand that it is possible, if you're unlucky, that the traffic is
> hashed in such a way that some threads can get much more traffic than
> the others. But are there any drawbacks apart from that?
> Q4)
> Speaking of the hash in runmode "auto"... What is actually hashed? A
> full 5-tuple of proto+srcip+srcprt+dstip+dstprt?

Nothing, this is one of the problems. The detection threads get packets
in a sort of round robin fashion, meaning that packets from a single
flow could be inspected by multiple threads at the same time, causing
all kinds of ordering and timing issues in the detection engine.

In short: don't use auto.

In general we recommend workers instead of autofp, so I suggest going
for that.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list