Hardware vs. software flow bypass in Suricata – Part 1

In last week’s blog post, we discussed the introduction of software-based flow processing in Suricata release 3.2 (December 2016). This was a substantial feature addition, but unfortunately it is only useful for the most basic of scenarios. To give our readers a sense of how software-based Suricata flow bypass performs relative to hardware-based, we teamed up with researchers from ntop—an engineering-driven company developing high-performance software for network traffic analysis. ntop has decades of experience in networking and more specifically in flow analysis via protocols such as NetFlow/IPFIX. Suricata flow bypass

For the experiment, two identical servers were set up and configured with Suricata version 4.0.1. One server had an ANIC-40Ku adapter installed in it and the other relied entirely on Suricata’s software implementation of flow bypass. The test parameters were as follows:

  • Server Hardware: Intel Xeon E3 (single core)
  • Suricata Version: 4.0.1
  • Adapter Hardware: Accolade ANIC-40Ku (4 x 10G)
  • Test Traffic Speed: 18 Gbps
  • Test Traffic: Mixed Internet Traffic

In next week’s blog we will dive into the details of the test setup and execution. For those that want to read ahead, please reference the tech brief below.

[Tech Brief] Download Shunt Away Unwanted Suricata Traffic

Want to Learn More?

Host CPU Offload Product Features Summary

wdt_ID Speed 1G 10G 10G 10G 10G/40G 10G/40G 100G 100G 100G
1 Model 4Ku 20ku 40ku 40kq 80ku ATLAS-1100 Service Node ANIC-200KFlex ANIC-100Kq ANIC-200Kq
2 Port/Type 4X1G SFP 2X10G SFP+ 4X10G SFP+ 1X40G QSFP+ 4X10G SFP+ 2X40G QSFP+ 8X10G SFP+ 4x10G SFP+ 1x40G QSFP+ 2x100G QSFP28 2x40G QSFP28 1X100G QSFP28 2X100G QSFP28
3 PCIe Interface Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x16 Gen3 x16 Gen3 x16
4 Dimensions(H x L inches) 4.25 x 6.5   4.25 x 6.25 4.25 x 6.25 4.25 x 6.25 4.25 x 6.25 1.75 x12.28x14 4.25 x 6.5 4.25 x 10.5 4.25 x 10.5
5 Memory 32MB 4G 4G 4G 4G 16/32G 8G 12G 12G
6 Timestamp 5.7 nS 5.7 nS 5.7 nS 5.7 nS 5.7 nS 5.7 nS 4 nS 4 nS 4 nS
7 100% Packet
Capture
8 Gigamon, AristaTimestamp
9 Packet Merging
10 Packet Parsing

About Accolade

Accolade is the technology leader in FPGA-based Host CPU Offload and 100% Packet Capture PCIe NIC’s and Scalable 1U Platforms. Accolade’s line of 1-100GE products enable 100% packet capture, flow classification, flow shunting, deduplication, packet filtering and more. Our customers are global leaders in network monitoring & cybersecurity applications as well as in the network test and measurement, telecom and video stream monitoring markets.

FPGA Acceleration Features

100% Packet Capture | Flow Classification | Flow Shunting | Precise Time Stamping | Packet Merging | Packet Slicing | Packet Parsing | Packet Filtering | Deduplication | Host Packet Buffer | Packet Steering | Direct Memory Access (DMA) | Statistics (RMON1)

Free Product Evaluation

Resolve all your host CPU offload bottlenecks. Share Your Technical Requirements with our FPGA and software experts to tailor the optimal solution. Accolade offers a 60 day free product evaluation for qualified customers to fully test and evaluate our products.