4x Suricata Performance Increase
Napatech Link™ Capture Software
for Intel® PAC with Intel Arria® 10 GX FPGA
Napatech Link™ Capture Software for Intel® PAC
Napatech has created a hardware acceleration solution that alleviates the load on the CPU and thereby greatly increases Suricata performance. This has been achieved by making the industry-leading Napatech Link™ Capture Software available for the Intel® Programmable Acceleration Card (PAC) with Intel Arria® 10 GX FPGA.
The software’s intelligent feature set offloads processing and analysis of Ethernet data from application software, while ensuring optimal use of the standard server’s resources leading to outstanding application acceleration. Other capabilities include network traffic capture at full line rate, with zero-loss packet capture, hardware timestamping and tunneling support, all on an Intel PAC.
Key Solution Features
• Line rate network throughput for all packet sizes
• Lossless capture for perfect inspection and detection
• Onboard packet buffering during micro-burst or PCI Express bus congestion scenarios
• Advanced host memory buffer management for ultra-high CPU cache performance
• Packet classification, match/action filtering and zero-copy forwarding
• Intelligent and flexible load distribution to 64 queues improving CPU cache performance by always delivering the same flows to the same cores
For Intrusion Detection implementations, missing any significant fraction of network traffic is unacceptable, as even a single packet not inspected by the Intrusion Detection System (IDS) represents a blind spot for the security team.
Suricata IDS detects known threats, policy violations and malicious behaviors. However, as capable as Suricata is in reactively protecting a network, it will only be as effective as its implementation. Examining the contents of every network packet is extremely CPU-intensive, especially for a multi-gigabit traffic load. And this is often the limiting factor in Suricata performance: the packet processing on the CPU.
In addressing this challenge, Napatech has created a hardware acceleration solution that alleviates the load on the CPU and thereby greatly increases Suricata performance. This has been achieved by making the Napatech Link™ Capture Software available as an Acceleration Stack for the Intel® Programmable Acceleration Card (PAC A10) with Intel Arria® 10 GX FPGA.
The Intel / Napatech difference
The Intel PAC and Napatech LinkTM Capture Software solution is uniquely suited for lossless acceleration of Suricata. It offloads processing and analysis of networking traffic from the application software, while ensuring optimal use of the standard server’s resources leading to effective application acceleration.
Optimized to capture all network traffic at full line rate, with almost no CPU load on the host server (all frame sizes), the solution demonstrates substantial lossless performance advantages for Suricata compared to a standard Network Interface Card (NIC):
• 4 times lossless packet decode performance
• 100% lossless capture of all network traffic
• 40% improvement in CPU utilization
Turning acceleration into value
These performance advantages ultimately allow you to:
• Maximize your server performance by improving CPU utilization
• Minimize your TCO by reducing number of servers needed, thus optimizing rack space, power, cooling and operational expenses
• Diminish your time-to-resolution, thereby enabling greatly increased efficiency
Suricata Lossless Throughput
No-drop Rate (Gbps)
- Standard NIC
- Intel PAC A10
Suricata Throughput (Emerging Threat Ruleset)
Decode Rate (Gbps)
- Standard NIC 40 Threads
- Standard NIC 80 Threads
- Intel PAC A10 40 Threads
- Intel PAC A10 80 Threads
Input Rate (Gbps)
Outstanding Lossless Performance
The improvements achieved with this solution were demonstrated by comparing Suricata performance running on a Dell PowerEdge R740 with a standard 40G NIC card and the Intel PAC A10.
Using all 20 cores (40 HT) on a single socket, the Intel PAC A10 with Napatech LinkTM Capture Software provided nearly 4x higher lossless Suricata packet throughput compared to a standard NIC when running Suricata with a 12,712 signature Emerging Threats ruleset.
Using 40 cores (80 HT) on both sockets, the Intel PAC delivered 39 Gbps of lossless Suricata packet throughput, while the standard NIC peaked at 15 Gbps.
Running Suricata on all 40 cores, the system topped out at 28.8 Gbps with a standard NIC, whereas the Intel PAC delivered 40 Gbps – demonstrating a 40% improvement in CPU utilization. The solution delivered a full 40 Gbps data stream to Suricata without loss while the host buffer utilization was barely measurable.
The test configuration was based on a dual-socket Dell R740 with Intel® Xeon® Gold 6138 2.0 GHz, 128GB RAM running CentOS 7.5. Traffic was generated by PCAP replay of an actual network traffic capture comprising more than 125K flows with an average packet size of 486 bytes.