lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 30 Nov 2010 17:22:50 +0800
From:	Rui <wirelesser@...il.com>
To:	netdev@...r.kernel.org
Subject: multi bpf filter will impact performance?

hi

I did a test with an intel X520 10Gnic, HP DL380 G6,  to see how the
bpf filter will impact the performance.

kernel .2.6.32 SLES11+SP1, original ixgbe driver

step 0:
launch 4 tcpdump processes,each applied a filter to filter out some
GTP-U packets. seen with 'tcpdump -d', the bpf code has about 100
lines.

#!/bin/sh
PCAP_FRAMES=32000 ./tcpdump_MMAP -i eth4 'udp dst port 2152 and (
(((ether[48:1]&0x07)>0) and
(((ether[66:1]+ether[67:1]+ether[68:1]+ether[69:1]+ether[70:1]+ether[71:1]+ether[72:1]+ether[73:1])&0x03)==0))
or (((ether[48:1]&0x07)==0) and
(((ether[62:1]+ether[63:1]+ether[64:1]+ether[65:1]+ether[66:1]+ether[67:1]+ether[68:1]+ether[69:1])&0x03)==0))
) ' -w /dev/null -s 4096 2>f1.log &
PCAP_FRAMES=32000 ./tcpdump_MMAP -i eth4 'udp dst port 2152 and (
(((ether[48:1]&0x07)>0) and
(((ether[66:1]+ether[67:1]+ether[68:1]+ether[69:1]+ether[70:1]+ether[71:1]+ether[72:1]+ether[73:1])&0x03)==1))
or (((ether[48:1]&0x07)==0) and
(((ether[62:1]+ether[63:1]+ether[64:1]+ether[65:1]+ether[66:1]+ether[67:1]+ether[68:1]+ether[69:1])&0x03)==1))
) ' -w /dev/null -s 4096 2>f2.log &
PCAP_FRAMES=32000 ./tcpdump_MMAP -i eth4 'udp dst port 2152 and (
(((ether[48:1]&0x07)>0) and
(((ether[66:1]+ether[67:1]+ether[68:1]+ether[69:1]+ether[70:1]+ether[71:1]+ether[72:1]+ether[73:1])&0x03)==2))
or (((ether[48:1]&0x07)==0) and
(((ether[62:1]+ether[63:1]+ether[64:1]+ether[65:1]+ether[66:1]+ether[67:1]+ether[68:1]+ether[69:1])&0x03)==2))
) ' -w /dev/null -s 4096 2>f3.log &
PCAP_FRAMES=32000 ./tcpdump_MMAP -i eth4 'udp dst port 2152 and (
(((ether[48:1]&0x07)>0) and
(((ether[66:1]+ether[67:1]+ether[68:1]+ether[69:1]+ether[70:1]+ether[71:1]+ether[72:1]+ether[73:1])&0x03)==3))
or (((ether[48:1]&0x07)==0) and
(((ether[62:1]+ether[63:1]+ether[64:1]+ether[65:1]+ether[66:1]+ether[67:1]+ether[68:1]+ether[69:1])&0x03)==3))
) ' -w /dev/null -s 4096 2>f4.log &


step1:
use stress test equipment to generate traffic >1.2Gbps


step2:
type 'ifconfig eth4'
saw many packets dropped

step3:
type 'sar -n DEV 1', the incoming throughput limited at 800Mbps


my questions:

Q1. the bpf filter is run one by one? will only one filter be executed
for one sock? (so that the tcpdump corresponding kernel part will run
filter in parallel?)

Q2. performance is bad? any idea to improve it?

thanks a lot
rui
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ