Suricata bennefits from: great number of threads or less threads with cpu affinity?

Continuing the discussion from Suricata 6.0.4 behavior on threads CPU affnity wrong on some hardware:

If I disable HyperThreading I’m able to have suricata threads honoring cpu affinity for all 4 network interfaces (3 on numa node 0 en 1 on node 1) but only able to have 8 threads per cpu. If I enable HT,
19 threads per nic is possible, but cpu affinity gets a mess: 22 threads on wrong numa node.

See the challenge :
HT disabled
NUMA node0 CPU(s): 0-31
NUMA node1 CPU(s): 32-63

HT enabled:
NUMA node0 CPU(s): 0-31,64-95
NUMA node1 CPU(s): 32-63,96-127

What is performance wise the prefered option? More threads with a messy cpu affinity, or less threads honoring cpu affinity?

Cheers,
Andre

The best is to have more threads while honoring the thread affinity

I can see the problem you are having - while it gets better on Suricata side I’ve thought it might be possible to run two Suricata processes, one on each NUMA node.
So you run Suricata.proc1 on NUMA0 with 3 interfaces and Suricata.proc2 on NUMA1 with the other interface. To support this deployment scenario might be moving one of the interfaces of NUMA0 to NUMA1 to better balance the load - although that also depends on what traffic you expect on individual interfaces.

Otherwise, I would consider having more threads is better than NUMA node location. However, please note that adding a hyperthreaded core (where the other core runs Suricata already) is not equal to a free core albeit on a separate NUMA node that doesn’t run Suricata.

Hyperthreaded core only uses the fact that the “main” core must sometime wait for e.g. memory operations.

For your usecase I would assume running Suricata on all NUMA nodes and all cores yields better results considering you use more cores than you would use if you lock those 3 interfaces to NUMA node0.

Haha indeed my idea
We switched this morning one interface from0 to numa node 1, so now it’s better distributed. Before correcting the affinity, is it better to have HT disabled?
Cheers

It also really depends on the volume of traffic you mirror and the lscpu output - which in turns depends on Intel/AMD CPU architectures etc. The one you posted above looks good.
One thing to watch out for (at least in my observations) is also the memory/Ram NUMA location/pinning if it is done specifically for a process.
In a lot of cases you can run Suri with multi NIC/ports residing on diff NUMAs however as soon as it reaches the total configured memory usage for Suricata (aka lots of traffic per port - 20g+) - to the mem limits of the allocated ram of one NUMA it becomes non optimal and you need to split the config deployment.

Wondering if you can share some details about your setup , like CPU /NIC etc ?
Do you see a measurable difference while using or not HTs ?

Thanks Peter for your input.

“Do you see a measurable difference while using or not HTs ?”
Do you have some metrics to watch for, like nic drops or such?

Setup:
Redhat EL 8.8 x64
dpdk RTE Version: ‘DPDK 23.11.0-rc0’
Suricata 7.0.1-dev (c5d83d081 2023-08-07)
HP ProLiant DL380 Gen10 Plus (P05172-B21)

]# lscpu
Architecture:        x86_64
CPU op-mode(s):      32-bit, 64-bit
Byte Order:          Little Endian
CPU(s):              128
On-line CPU(s) list: 0-127
Thread(s) per core:  2
Core(s) per socket:  32
Socket(s):           2
NUMA node(s):        2
Vendor ID:           GenuineIntel
BIOS Vendor ID:      Intel(R) Corporation
CPU family:          6
Model:               106
Model name:          Intel(R) Xeon(R) Platinum 8358 CPU @ 2.60GHz
BIOS Model name:     Intel(R) Xeon(R) Platinum 8358 CPU @ 2.60GHz
Stepping:            6
CPU MHz:             2600.000
BogoMIPS:            5200.00
Virtualization:      VT-x
L1d cache:           48K
L1i cache:           32K
L2 cache:            1280K
L3 cache:            49152K
NUMA node0 CPU(s):   0-31,64-95
NUMA node1 CPU(s):   32-63,96-127
Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 invpcid_single ssbd mba ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm rdt_a avx512f avx512dq rdseed adx smap avx512ifma clflushopt clwb intel_pt avx512cd sha_ni avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local split_lock_detect wbnoinvd dtherm ida arat pln pts avx512vbmi umip pku ospke avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg tme avx512_vpopcntdq la57 rdpid fsrm md_clear pconfig flush_l1d arch_capabilities

] free -m
              total        used        free      shared  buff/cache   available
Mem:         128054       79479         474          27       48100       47642
Swap:          7999           1        7998

]# lshw -c network -businfo
Bus info          Device     Class          Description
\=======================================================
pci@0000:0f:00.0             network        82599ES 10-Gigabit SFI/SFP+ Network Connection
pci@0000:0f:00.1  ens3f1     network        82599ES 10-Gigabit SFI/SFP+ Network Connection
pci@0000:10:00.0             network        Ethernet Controller E810-C for QSFP
pci@0000:10:00.1             network        Ethernet Controller E810-C for QSFP
pci@0000:48:00.0  ens10f0    network        I350 Gigabit Network Connection
pci@0000:48:00.1  ens10f1    network        I350 Gigabit Network Connection
pci@0000:48:00.2  ens10f2    network        I350 Gigabit Network Connection
pci@0000:48:00.3  ens10f3    network        I350 Gigabit Network Connection
pci@0000:84:00.0             network        Ethernet Controller E810-C for QSFP
pci@0000:84:00.1             network        Ethernet Controller E810-C for QSFP

]# dpdk-devbind.py -s
Network devices using DPDK-compatible driver
\============================================
0000:0f:00.0 '82599ES 10-Gigabit SFI/SFP+ Network Connection 10fb' drv=vfio-pci unused=ixgbe
0000:10:00.0 'Ethernet Controller E810-C for QSFP 1592' drv=vfio-pci unused=ice
0000:10:00.1 'Ethernet Controller E810-C for QSFP 1592' drv=vfio-pci unused=ice
0000:84:00.0 'Ethernet Controller E810-C for QSFP 1592' drv=vfio-pci unused=ice
0000:84:00.1 'Ethernet Controller E810-C for QSFP 1592' drv=vfio-pci unused=ice

Thank you for sharing the info!
I was thinking simply drops diff between one config set up vs the other over 2/6/24hr period of time.

First time a 24/h cycle metrics on an relative quite day, Wednesday, with HT enabled:
/var/log/suricata/suricata.log.1.gz:[232231 - Suricata-Main] 2023-08-17 03:34:22 Notice: device: 0000:10:00.0: packets: 15994588311, drops: 118855951 (0.74%), invalid chksum: 929
/var/log/suricata/suricata.log.1.gz:[232231 - Suricata-Main] 2023-08-17 03:34:22 Notice: device: 0000:84:00.0: packets: 15822227448, drops: 114754312 (0.73%), invalid chksum: 269
/var/log/suricata/suricata.log.1.gz:[232231 - Suricata-Main] 2023-08-17 03:34:22 Notice: device: 0000:0f:00.0: packets: 22094542158, drops: 474139660 (2.15%), invalid chksum: 0
/var/log/suricata/suricata.log.1.gz:[232231 - Suricata-Main] 2023-08-17 03:34:22 Notice: device: 0000:84:00.1: packets: 2926264973, drops: 2087141 (0.07%), invalid chksum: 124

Thank you !
Looking for the next run!

Next week I’ll try the HT disabled setup!

/var/log/suricata/suricata.log.1.gz:[580986 - Suricata-Main] 2023-08-18 03:34:18 Notice: device: 0000:10:00.0: packets: 16616140950, drops: 81269270 (0.49%), invalid chksum: 164
/var/log/suricata/suricata.log.1.gz:[580986 - Suricata-Main] 2023-08-18 03:34:18 Notice: device: 0000:84:00.0: packets: 16231428184, drops: 58351360 (0.36%), invalid chksum: 184
/var/log/suricata/suricata.log.1.gz:[580986 - Suricata-Main] 2023-08-18 03:34:19 Notice: device: 0000:0f:00.0: packets: 24174312045, drops: 205642544 (0.85%), invalid chksum: 0
/var/log/suricata/suricata.log.1.gz:[580986 - Suricata-Main] 2023-08-18 03:34:19 Notice: device: 0000:84:00.1: packets: 4047331919, drops: 2112103 (0.05%), invalid chksum: 67

Thursday night till Friday night stats. September is going to be more interesting seen all new students and the end of the summerholidays.

This second one seems better, was it for the same time run?

Yep 24h so I was suprised too due to the fact that Thurdays are bussier than Wednesdays related to networking statistics. Can’t find a explenation at the moment.

Friday night till Saturday night:

/var/log/suricata/suricata.log.1.gz:[897968 - Suricata-Main] 2023-08-19 03:20:19 Notice: device: 0000:10:00.0: packets: 16110161440, drops: 89161440 (0.55%), invalid chksum: 39
/var/log/suricata/suricata.log.1.gz:[897968 - Suricata-Main] 2023-08-19 03:20:19 Notice: device: 0000:84:00.0: packets: 19408816353, drops: 69452105 (0.36%), invalid chksum: 190
/var/log/suricata/suricata.log.1.gz:[897968 - Suricata-Main] 2023-08-19 03:20:20 Notice: device: 0000:0f:00.0: packets: 25359107080, drops: 143565404 (0.57%), invalid chksum:

Last two are with HT disabled right ?

No, this week was with HT enabled.

Today, this afternoon, started with running suricata 7 on this box with HT disabled in BIOS. So had to do a recalc regarding affinity, threads and nic position in suricata.yaml, but it is running now. First observation: nic bound cores wiggles sometimes between 100% and 99,% , can’t recall this happened while HT was enabled. Next: management bound cores are busy, logical because running on 6 cores instead of previous 12.

Stats from Wednesday 3am till Thursday 3am (Wednesday is a rellative quit day at the office compared to Mon, Tue en Thursday):
2023-09-14 03:28:22 Notice: device: 0000:0f:00.0: packets: 23359786281, drops: 60827223 (0.26%), invalid chksum: 0
2023-09-14 03:28:22 Notice: device: 0000:10:00.0: packets: 20642519818, drops: 137406874 (0.67%), invalid chksum: 361
2023-09-14 03:28:22 Notice: device: 0000:84:00.0: packets: 20270191223, drops: 144041815 (0.71%), invalid chksum: 339
2023-09-14 03:28:22 Notice: device: 0000:84:00.1: packets: 5490738281, drops: 884543 (0.02%), invalid chksum: 199

The alert dashboard does not show a significant increase of decrease in rule hits.

Thursday 3am till Friday 3am, intersting all under 1% drop … Gonna check if there is a difference regarding traffic with the HT enabled Thursdays.

Suricata-Main] 2023-09-15 03:42:19 Notice: device: 0000:0f:00.0: packets: 28097658210, drops: 85237655 (0.30%), invalid chksum: 0
2023-09-15 03:42:19 Notice: device: 0000:10:00.0: packets: 22109711167, drops: 120622976 (0.55%), invalid chksum: 240
2023-09-15 03:42:19 Notice: device: 0000:84:00.0: packets: 22284231192, drops: 111615208 (0.50%), invalid chksum: 235
Suricata-Main] 2023-09-15 03:42:20 Notice: device: 0000:84:00.1: packets: 6522491173, drops: 450463 (0.01%), invalid chksum: 185

So when comparing the results per interface it seems like HT disabled provides slightly better performance, am I evaluating it right?

That’s also my first impression, but I’m busy to fit the numbers in an Excel graph to have a better view.
suricata_ht_noht_chart.7z (30.4 KB)

Added Excel sheet you can use to compare HT/NOT HT , Interfaces, Packets, Drops.

Seems a slight advantage for NO-HT