Hi everyone,
I have a Zeek plugin (Zeek-Dpdk) that provides native DPDK support for Zeek as a packet source. I ran some benchmarks and wanted to validate the results with the community.
The benchmarking scenario is as follows: two servers connected back to back via their Mellanox connectX-5 single port 100G NIC cards. One server is sending at line rate (100G) with pktgen-dpdk and the other is running a single zeek instance with my plugin. The enabled logs are the typical stats.log, conn.log, capture_loss.log, reporter.log, packet_filter.log, notice.log. With some dpdk tunning, I was sending synthetic traffic at 100Gbps and observed that zeek is capturing logs at 97Gbps (modified stats.zeek to report the per second load). These results also depend on the packet size generated which is very expected (i.e., large packets → higher the throughput)
- ~97 Gbps for packets > 1024 Bytes
- ~62 Gbps for packets between 512 B and 1024 B
- ~16 Gbps for packets between 128 B and 512 B
I understand that this scenario is not realistic. However, I was wondering if you could provide any feedback on the accuracy of these results as a best case scenario. Particularly, that my findings are related to a single zeek instance with accelerated packet capture via dpdk, and I didn’t modified anything else in zeek.
Many thanks,
Siham