Tom did this for 6100 but I didn’t see him doing this for 8200. He mentioned faster page loading for rules.
But I’m curious what is the single stream speed on 8200 with Suricata or Snort on?
Suricata Snot does not have a dramatic effect on single stream.
Thank you Tom.
Maybe I am using incorrect word or confused. Your 6100 review you had iPerf with single stream while suricata was running, which brought down the result to 2.6 Gbps as opposed to multiple streams.
Since I do have 10Gbps network, I am curious if this number changes with 8200.
I think the single stream performance is about the same.
Thanks Tom.
I was thinking 2x if CPU was the only/primary factor affecting the number because 8200 looks to have twice pass mark score cpu.
But then that would made no sense for OpnSense labeling their IPS traffic as 2Gbps because their CPU on pass mark is at close to 4x than that of 6100 (unless their coding on OpnSense is more inefficient/overheads).
Althought I might not use all these features but still gets very curious…and fixated/focused on these things.
So I appreciate you contents especially going into details of why you think things are happening rather than just show numbers.
…but if you’re looking at the single core performance it is even slightly lower, which is more relevant for the performance of a single stream:
-
Packet filtering itself for a single stream cannot take much advantage of multiple cores, because with stateful filtering the traffic has to be processed in the right order, so it can’t be easily distributed over multiple cores
-
As far as I remember, Snort is a single-threaded application, so the additional cores won’t help you at all. Not sure if that has changed since i last tried it.
-
While Suricata can make use of multi core CPUs, I doubt that doubling the core count will result in doubling the speed, also the general limitations of a single stream still remain.
Of course it is much more complex than that, but in many cases, especially for single stream performance a higher clock frequency is better than a higher core count.
1 Like
Great point. Single core part makes total sense. I remember reading snort is now also multithreaded.