[Bro-Dev] snaplen and drops
braun at net.in.tum.de
Thu Nov 3 17:00:27 PDT 2011
On Nov 3, 2011, at 2:51 PM, Martin Holste wrote:
>> So if you use libpcap >= 1.0.0, you should have AF_PACKET support by default. Snort/Suricata probably implemented separate AF_PACKET support for systems that ship libpcap < 1.0.0.
> I've used pcap > 1.0 and had much worse performance than AF_PACKET,
This is interesting. Could your result be related to the small default buffer size in libpcap (the 2MB which have been problematic with Bro if a snaplen of 64 Kb is used?)
Can you remember how your setup looked like?
> I'd be willing to bet that IRQ CPU utilization is higher with pcap and
> AF_PACKET does a polling mechanism to decrease its IRQ overhead. I
> can't speak to the mmap techniques and whether or not they differ, but
> IRQ alone would be enough to make a noticeable difference.
Hmm, I'm not sure that I understand. What do you mean with IRQ? Hardware Interrupts originated from the NIC?
I can see the following things that can influence the capturing performance:
1.) hardware interrupts
2.) software interrupts == availability of kernel threads to pull data into userspace
3.) packet copy operations
4.) packet exchange between kernel and userspace (e.g. mmap)
5.) synchronization between kernel and userspace (e.g. poll() on a socket)
1.) + 2.) are handled by the kernel, and to the best of my knowledge neither libpcap nor libdaq should have any influence on them.
3)-5) are done using the same mechanisms in both libraries.
When I'm back at our lab in the next week, I'll try to find some time to do some experiments. If I can reproduce your observations, maybe I can find an explanation for the differences.
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone: +49 89 289-18010 Fax: +49 89 289-18033
E-mail: braun at net.in.tum.de
More information about the bro-dev