Hardware vs. software flow bypass in Suricata – Part 1
In last week’s blog post, we discussed the introduction of software-based flow processing in Suricata release 3.2 (December 2016). This was a substantial feature addition, but unfortunately it is only useful for the most basic of scenarios. To give our readers a sense of how software-based Suricata flow bypass performs relative to hardware-based, we teamed up with researchers from ntop—an engineering-driven company developing high-performance software for network traffic analysis. ntop has decades of experience in networking and more specifically in flow analysis via protocols such as NetFlow/IPFIX.
For the experiment, two identical servers were set up and configured with Suricata version 4.0.1. One server had an ANIC-40Ku adapter installed in it and the other relied entirely on Suricata’s software implementation of flow bypass. The test parameters were as follows:
- Server Hardware: Intel Xeon E3 (single core)
- Suricata Version: 4.0.1
- Adapter Hardware: Accolade ANIC-40Ku (4 x 10G)
- Test Traffic Speed: 18 Gbps
- Test Traffic: Mixed Internet Traffic
In next week’s blog we will dive into the details of the test setup and execution. For those that want to read ahead, please reference the tech brief below.