[Bro-Dev] new IPv6 code

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed Feb 8 15:02:12 PST 2012

In topic/v6-addr, I finished switching Bro to enable IPv6 support by default and changing the internal representation to use classes.  I tried to do some initial rough benchmarking to compare it versus master and master with --enable-brov6.  Tests were run on a 16GB pcap (no IPv6 traffic) with local.bro loaded.

    120574kb vsize, 207.65s user, 20.36s system

master --enable-brov6
    126458kb vsize, 307.38s user, 20.87s system
    +5% mem, +44% cpu

    121142kb vsize, 309.33s user, 20.62s system
    +0.5%mem, +45% cpu

About 65% of the time difference in either the IPv6-supporting configurations looks to be due to the fact that the size of Conn::Key exceeds UHASH_KEY_SIZE and so falls back on the slower HMAC/MD5 when creating a HashKey of the data, which happens for every packet.

The negligible memory usage difference surprised me since they differ from previous results here: http://tracker.bro-ids.org/bro/ticket/68.  Maybe one possibility is that the scripts have changed so much since those benchmarks were run such that there's less state being tracked that involves addrs.  Or the pcap I used was likely not as robust.

Thoughts on how to improve the hashing or other plans to investigate memory usage?

And does it seem like a good idea to merge topic/v6-addr into master at this point so that we get more users exercising that code and so we can start working in separate branches for more IPv6 enhancements?  All the unit tests pass, but the external baselines need another set of eyes to sanity check them.


More information about the bro-dev mailing list