Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

High CPU usage - PCAP_LOOP_SLEEP too high? #258

Open
leonyu opened this issue Sep 12, 2017 · 2 comments
Open

High CPU usage - PCAP_LOOP_SLEEP too high? #258

leonyu opened this issue Sep 12, 2017 · 2 comments

Comments

@leonyu
Copy link

leonyu commented Sep 12, 2017

I have been running htop (top-variant) to monitor some other service I have on my OpenWrt router, and CPU usage of fwknopd consistently ranked higher than the active dropbear connection that's actually sending back htop refreshes.

I seem to be able to lower it by setting PCAP_LOOP_SLEEP so the loops is 1x per second. Even then, it is still taking up much more CPU cycles than idle OpenVPN (which also uses HMAC-signed UDP packets for negotiation).


In addition, there appears to be a typo with the man page. 10000μs = 0.01s, not 0.1s.

PCAP_LOOP_SLEEP

Sets the number of microseconds to passed as an argument to usleep() in the pcap loop. The default is 10000, or 1/10th of a second.

I am not sure if this is actually is in the default configuration. If it is, it might be partially why it is taking up so many CPU cycles.

@leonyu
Copy link
Author

leonyu commented Sep 12, 2017

UPDATE: Running fwknopd in UDP server mode reduces CPU usage significantly, so the comparison with OpenVPN CPU usage is not applicable.

@jp-bennett
Copy link
Collaborator

@leonyu It looks like the default pcap sleep time is set to 100000 if a value is not supplied. I think you're right, there is a typo in the man page. It claims the default is 10000, off by an order of magnitude.

The loop sleep is an important tuning value to balance how many cpu cycles fwknop consumes when idle, vs how many packets it can process. So if you're not at all concerned about an SPA DDOS, you can set that value even higher.

I've considered some ways to make the sleep time scale up or down based on how much traffic is coming through, but not had time to code it, and not sure if it's worth it.

Ah, I was going to mention the option of a real UDP socket rather than libpcap. Something to note there, you have to explicitly open the udp port in your firewall for SPA packets to be detected. The great advantage of pcap is that it captures packets blocked by the firewall.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants