https://home.regit.org/tags/performance/ Recent content in Performance on To Linux and beyond ! Hugo fr Mon, 18 Nov 2013 12:59:59 +0000 https://home.regit.org/2013/11/using-linux-perf-tools-for-suricata-performance-analysis/ Mon, 18 Nov 2013 12:59:59 +0000 https://home.regit.org/2013/11/using-linux-perf-tools-for-suricata-performance-analysis/ <h4 id="introduction">Introduction</h4> <p><a href="https://perf.wiki.kernel.org/index.php/Main_Page">Perf</a> is a great tool to analyse performances on Linux boxes. For example, <em>perf top</em> will give you this type of output on a box running <a href="http://suricata-ids.org/">Suricata</a> on a high speed network:</p> <pre>Events: 32K cycles 28.41% suricata [.] SCACSearch 19.86% libc-2.15.so [.] tolower 17.83% suricata [.] SigMatchSignaturesBuildMatchArray 6.11% suricata [.] SigMatchSignaturesBuildMatchArrayAddSignature 2.06% suricata [.] tolower@plt 1.70% libpthread-2.15.so [.] pthread_mutex_trylock 1.17% suricata [.] StreamTcpGetFlowState 1.10% libc-2.15.so [.] __memcpy_ssse3_back 0.90% libpthread-2.15.so [.] pthread_mutex_lock</pre> <p>The functions are sorted by CPU consumption. Using arrow key it is possible to jump into the annotated code to see where most CPU cycles are used.</p> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/ Mon, 30 Jul 2012 21:03:19 +0000 https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/ <h4 id="introduction">Introduction</h4> <p>Since the beginning of July 2012, OISF team is able to access to a server where one interface is receiving<br> some mirrored real European traffic. When reading &ldquo;some&rdquo;, think between 5Gbps and 9.5Gbps<br> constant traffic. With that traffic, this is around 1Mpps to 1.5M packet per seconds we have to study.</p> <p>The box itself is a standard server with the following characteristics:</p> <ul> <li>CPU: One Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz (16 cores counting Hyperthreading)</li> <li>Memory: 32Go</li> <li>capture NIC: Intel 82599EB 10-Gigabit SFI/SFP+</li> </ul> <p>The objective is simple: be able to run Suricata on this box and treat the whole<br> traffic with a decent number of rules. With the constraint not to use any non<br> official system code (plain system and kernel if we omit a driver).</p> https://home.regit.org/2012/02/using-af_packet-zero-copy-mode-in-suricata/ Thu, 23 Feb 2012 18:25:15 +0000 https://home.regit.org/2012/02/using-af_packet-zero-copy-mode-in-suricata/ <p><a href="http://www.inliniac.net/blog/">Victor Julien</a> has <a href="http://lists.openinfosecfoundation.org/pipermail/oisf-devel/2012-February/001283.html">just pushed</a> a new feature to <a href="https://redmine.openinfosecfoundation.org/projects/suricata/repository">suricata’s git tree</a>. It brings improvements to the AF_PACKET capture mode.</p> <p>This capture mode can be used on Linux. It is the native way to capture packet. Suricata is able to use the interesting new multithreading feature provided by AF_PACKET on recent kernels: it is possible to have multiple capture threads receiving the packet of a single interface.</p> <p>The commits add mmaped ring buffer support to AF_PACKET capture and also provide a zero copy mode. Mmaped ring buffer is mechanism similar to the one used by PF_RING. The kernel allocates some memory to store the packets and share this memory with the capture process. Instead of sending messages, the kernel just write to the shared memory and the process capture reads it. This is less consuming in term of CPU ressource and helps to increase the capture rate. But the main avantage of this technique is that the capture process can treat the packets without making a copy and this saves a lot of time</p>