-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
what is the difference between DPDK_SURICATA-4_1_1 and DPDK-Suricata_3.0? #2
Comments
@tolunFdancer tolunFdancer I have to assume the title is your question Answer>
|
I want to use suricata as IDS with dpdk to capture and parse packets, which one should I choose? 4.11 or 3.0? |
3.0 is done. |
Does 4.1.1 completed and could used to product enviroment? Thank you! |
It is not complete. Work in progress in spare. Appreciate help in design, coding and testing. |
@ahubaoan are there any plans from your end to design, contribute or test the same? |
Why not use dpdk-symmetric-RSS directly? |
I am not convinced with this approach, because
ie: if there is 10G interface and 4 RX queues in ideal world you would get 2.5G per interface by using 4 RX threads. But each CPU core tuned propelry can do around 25 to 30G RX burst. So one is wasting the potential by spreading on RSS in DPDK RX mode. @ahubaoan Can you share your plan of work from your end? Are planning to design the feature list, design to-do list, or contribute by testing? Please let me know at earliest as I am waitign for your inputs before starting 2nd phase. |
I am not familiar with dpdk, but after understanding it, I know that dpdk has the advantage of reducing cpu interrupt, zero copy, and cache miss to improve performance. If we can handle the entire stream through one thread, ie: I am trying to make a simple IDS based on suricata, but the af-packet that comes with suricata is too slow, pf_ring and netmap are not very friendly (personal), looking for a more suitable packet driver |
A.use suricata worker mode, do not need any thread lock B.hash at dpdk, it is very fast C.zero copy form dpdk D.most nic driver has 32/64 combined, in most cases my cpu is 32 threads or 64 threads, exactly match I am trying to make a simple IDS based on suricata but the af-packet that comes with suricata is too slow, pf_ring and netmap are not very friendly (personal), looking for a more suitable packet driver
|
First of all, thank you for answering my question all the time. I just want the easiest and quickest way to make a DPDK+suricata IDS Your DPDK-Suricata_3.0 version has implemented most of the features, but I found that your DPDK-Suricata_3.0 version seems to only use one thread. Although it runs in woker mode, the whole stream is only one thread and cannot use CPUs completely. Why not do multithreading directly, just like one thread bind one(or 2) NIC combined and one worker ? |
@ahubaoan it is clear from the above
version has implemented most of the features, but I found that your DPDK-Suricata_3.0 version seems to only use one thread. Although it runs in woker mode, the whole stream is only one thread and cannot use CPUs completely. Why not do multithreading directly, just like one thread bind one(or 2) NIC combined and one worker ? |
@ahubaoan I ma happy if you are willing to contribute to your design as you suggested as
But please refer to the following.
based on your previous question Possible next question from your end: If above all are agreed, but still if you have a question like |
I found out that you commented on the function rte_eal_remote_launch(), why? I think about whether this method works:
Or more aggressive, still open threads in the worker, each thread to fetch data in the corresponding dpdk queue, instead of using ap_k eal_thread |
please do analysis and share me the reason why I have done the same.
with rte_eal_remote_launch instead of creating a thread in suricata.
|
If the plan is share ideas, please use the template and raise in right forum. If these are arguments plaese support with proof. |
@ahubaoan Have you found the answers to update us all? |
Answer to the query why can not one use 5 tuple symmetric hash is because As I am not able to see any updates from @ahubaoan, I am assigning the task of updating this repository with the code of |
I found @ahubaoan updates in other repository for dpdk-suricata. Which means you are still active. Least update us all with progress and early patch. |
based on the @ahubaoan comments, no contribution to this repository targeted emails, I have decided not to wait for @ahubaoan suggestions as git merge request. Have completed the functional logic with the performance of each worker thread around 1 million packets per sec. @tolunFdancer you can try the same. |
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: