scudette
commented
4 years ago Do you have some performance numbers? I think in Velociraptor we use 8k blocks https://github.com/Velocidex/velociraptor/blob/0cffe0e9c9ef55db2866fe711511e17c1f0a624a/vql/windows/filesystems/ntfs_windows.go#L225 which may still be too small.
The main purpose of PagedReader is to back the data so the generated parsers can be used efficiently. The parsers all use ReaderAt() which does a seek and read of very small 1-8 bytes and the paged reader stops it going to disk for 8 byte reads. NTFS has a block size of 0x400 so that is where the 1024 is coming from. Each MFT entry has to be read into memory, unfixed and then parsed out into the records.
It might benefit reading more although it depends on access pattern and it is a memory tradeoff. Typically I would expect blocks to be in the file cache anyway so say 8kb reads should only bear the syscall overhead but depending on the OS this might be a lot.
cugu
I did some testing with extraction of files from NTFS. I figured out, that
PagedReadercan be a bottleneck if configured incorrectly. A page size of 1024 is slowing down copies of large files.I'm now using
parser.NewPagedReader(r, 1024*1024, 100*1024*1024)which yielded quite good results. I've not thoroughly tested implications on memory though.Is there any reason for 1024 being used basically everywhere (https://grep.app/search?q=NewPagedReader)?