[Oisf-users] Runmode autofp vs auto
Victor Julien
lists at inliniac.net
Mon Nov 30 14:26:26 UTC 2015
On 27-11-15 22:13, elof2 at sentor.se wrote:
> Hi again!
>
> When I run suricata in "autofp" mode, 'top' shows the total CPU usage
> jumping between 40-65%.
>
> When I change it to "auto" mode, 'top' shows a stable CPU usage at 22%.
>
>
> I'm using a looping tcpreplay to generate the same live data with a
> constant packets per second rate in both tests.
>
>
> Q1)
> Should the flow pinning loadbalancing really eat that much more CPU than
> the plain "auto" mode?
>
>
> Q2)
> How come the total CPU usage is jumping up and down so much?
> 'top' shows 55%, 40%, 53%, 71%, 47, 66%, etc.
> Shouldn't the extra workload for autofp loadbalancing be pretty constant
> and not generate dips and spikes like this?
>
> (in runmode "auto" the total is stable at 22% all the time, with only
> minor deviations down to 21% or up to 22.5%)
Hard to say anything about those perf numbers w/o profiling.
>
> Q3)
> So this test indicates that using "auto" is better than "autofp" in my
> FreeBSD setup. The suricata default however, is "autofp", and most
> documentation points to using it. This makes me wonder:
> Are there any drawbacks from using "auto" instead of the default "autofp"?
>
> I understand that it is possible, if you're unlucky, that the traffic is
> hashed in such a way that some threads can get much more traffic than
> the others. But are there any drawbacks apart from that?
>
>
> Q4)
> Speaking of the hash in runmode "auto"... What is actually hashed? A
> full 5-tuple of proto+srcip+srcprt+dstip+dstprt?
Nothing, this is one of the problems. The detection threads get packets
in a sort of round robin fashion, meaning that packets from a single
flow could be inspected by multiple threads at the same time, causing
all kinds of ordering and timing issues in the detection engine.
In short: don't use auto.
In general we recommend workers instead of autofp, so I suggest going
for that.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list