https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022017-05-03T16:16:24ZOpen Information Security FoundationSuricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=81922017-05-03T16:16:24ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=82372017-05-09T11:13:41ZIgor Novgorodov
<ul></ul><p>Testing with latest git confirms that problem still persists, latency is still about 20ms.</p> Suricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=82382017-05-09T11:50:16ZEric Leblonderic@regit.org
<ul></ul><p>Are you testing with tpacket_v3 ? If yes can you test without it (so with v2) ?</p> Suricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=82392017-05-09T12:29:00ZIgor Novgorodov
<ul></ul><p>Yep, it was TPACKET_V3.<br />I've read somewhere that V3 is experimental, but didn't pay much attention to that.<br />With TPACKET_V2 it's fine - 0.2ms, thanks!</p> Suricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=82402017-05-09T13:27:54ZEric Leblonderic@regit.org
<ul></ul><p>It is not really experimental regarding to IPS. It will never work correctly: tpacket_v3 is using a block concept that contains a group of packets and deliver block by block so this induce a latency..</p> Suricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=82412017-05-09T13:29:18ZVictor Julienvictor@inliniac.net
<ul></ul><p>Eric should we add a big fat warning or even outright refuse to work in IPS mode with AFPv3?</p> Suricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=82422017-05-09T13:42:46ZIgor Novgorodov
<ul></ul><p>Yes, the CRIT log message during startup would be very nice and some mention in the docs, so others would not guess the cause of latency.<br />Sadly, but V2's performance is much worse. I was able to achieve the 0% drop on V2 only with 35% lower PPS than with V3.</p> Suricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=82432017-05-09T13:45:07ZEric Leblonderic@regit.org
<ul></ul><p>I think it is a good idea to avoid this kind of issue. I'm cooking something to go with the IPS fix.</p> Suricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=101502018-08-09T10:34:16ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Eric Leblond</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>4.1rc2</i></li></ul> Suricata - Bug #2100: af_packet: High latencyhttps://redmine.openinfosecfoundation.org/issues/2100?journal_id=103292018-10-16T12:17:37ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/2742">https://github.com/OISF/suricata/pull/2742</a></p>