You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been running htop (top-variant) to monitor some other service I have on my OpenWrt router, and CPU usage of fwknopd consistently ranked higher than the active dropbear connection that's actually sending back htop refreshes.
I seem to be able to lower it by setting PCAP_LOOP_SLEEP so the loops is 1x per second. Even then, it is still taking up much more CPU cycles than idle OpenVPN (which also uses HMAC-signed UDP packets for negotiation).
In addition, there appears to be a typo with the man page. 10000μs = 0.01s, not 0.1s.
PCAP_LOOP_SLEEP
Sets the number of microseconds to passed as an argument to usleep() in the pcap loop. The default is 10000, or 1/10th of a second.
I am not sure if this is actually is in the default configuration. If it is, it might be partially why it is taking up so many CPU cycles.
The text was updated successfully, but these errors were encountered:
@leonyu It looks like the default pcap sleep time is set to 100000 if a value is not supplied. I think you're right, there is a typo in the man page. It claims the default is 10000, off by an order of magnitude.
The loop sleep is an important tuning value to balance how many cpu cycles fwknop consumes when idle, vs how many packets it can process. So if you're not at all concerned about an SPA DDOS, you can set that value even higher.
I've considered some ways to make the sleep time scale up or down based on how much traffic is coming through, but not had time to code it, and not sure if it's worth it.
Ah, I was going to mention the option of a real UDP socket rather than libpcap. Something to note there, you have to explicitly open the udp port in your firewall for SPA packets to be detected. The great advantage of pcap is that it captures packets blocked by the firewall.
I have been running
htop
(top
-variant) to monitor some other service I have on my OpenWrt router, and CPU usage offwknopd
consistently ranked higher than the activedropbear
connection that's actually sending backhtop
refreshes.I seem to be able to lower it by setting
PCAP_LOOP_SLEEP
so the loops is 1x per second. Even then, it is still taking up much more CPU cycles than idle OpenVPN (which also uses HMAC-signed UDP packets for negotiation).In addition, there appears to be a typo with the man page.
10000μs = 0.01s
, not0.1s
.I am not sure if this is actually is in the default configuration. If it is, it might be partially why it is taking up so many CPU cycles.
The text was updated successfully, but these errors were encountered: