Project

General

Profile

Actions
Copy link

Bug #2100

closed
IN EL

af_packet: High latency

Bug #2100: af_packet: High latency

Added by Igor Novgorodov about 9 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Leblond
Target version:
4.1rc2
Affected Versions:
Effort:
Difficulty:
Label:

Description

Same configuration as in https://redmine.openinfosecfoundation.org/issues/2099

Network topology is simple:

[host1 eno50] <-> [eno50 host2(suricata) eno49] <-> [eno50 host3]


host1# ip addr add 192.168.99.1/24 dev eno50
host3# ip addr add 192.168.99.2/24 dev eno50

host3# ping 192.168.99.1 -c 1000 -q -f 
PING 192.168.99.1 (192.168.99.1) 56(84) bytes of data.

--- 192.168.99.1 ping statistics ---
1000 packets transmitted, 1000 received, 0% packet loss, time 19977ms
rtt min/avg/max/mdev = 23.308/26.272/39.973/0.457 ms, pipe 3, ipg/ewma 19.997/26.274 ms

When using NFQUEUE and routing through Suricata the latency is fine (sub-millisecond)

AH Updated by Andreas Herz almost 9 years ago Actions
Copy link
 #1

  • Assignee set to OISF Dev
  • Target version set to TBD

IN Updated by Igor Novgorodov almost 9 years ago Actions
Copy link
 #2

Testing with latest git confirms that problem still persists, latency is still about 20ms.

EL Updated by Eric Leblond almost 9 years ago Actions
Copy link
 #3

Are you testing with tpacket_v3 ? If yes can you test without it (so with v2) ?

IN Updated by Igor Novgorodov almost 9 years ago Actions
Copy link
 #4

Yep, it was TPACKET_V3.
I've read somewhere that V3 is experimental, but didn't pay much attention to that.
With TPACKET_V2 it's fine - 0.2ms, thanks!

EL Updated by Eric Leblond almost 9 years ago Actions
Copy link
 #5

It is not really experimental regarding to IPS. It will never work correctly: tpacket_v3 is using a block concept that contains a group of packets and deliver block by block so this induce a latency..

VJ Updated by Victor Julien almost 9 years ago Actions
Copy link
 #6

Eric should we add a big fat warning or even outright refuse to work in IPS mode with AFPv3?

IN Updated by Igor Novgorodov almost 9 years ago Actions
Copy link
 #7

Yes, the CRIT log message during startup would be very nice and some mention in the docs, so others would not guess the cause of latency.
Sadly, but V2's performance is much worse. I was able to achieve the 0% drop on V2 only with 35% lower PPS than with V3.

EL Updated by Eric Leblond almost 9 years ago Actions
Copy link
 #8

I think it is a good idea to avoid this kind of issue. I'm cooking something to go with the IPS fix.

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #9

  • Assignee changed from OISF Dev to Eric Leblond
  • Target version changed from TBD to 4.1rc2

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #10

  • Status changed from New to Closed
Actions
Copy link

Also available in: PDF Atom