Re: Performance again

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Matt Kettler schrieb:
> At 10:55 AM 12/23/2003, Edin Dizdarevic wrote:

[...]
> 5. Other.
>
> with libpcap, packets are queued into a buffer for snort to read. That 
> buffer is a fixed size. When snort reads a packet, it is removed from 
> the buffer and that space is freed for new packets to arrive.

AFAIK there are two buffers: store and hold, at least according to Mr.
Stevens. This may not aply to Linux. Anyway, if we use Phil Wood's
libpcap it would be possible to virtually extend the buffer size. So
with that countermeasure we give Snort more time to finish the tasks
pending. Correct so far?

But if we go a step further, there are also some Snort parameters which
influence the amount of the time Snort has for the individual tasks 
themselves. If I give the preprocessors more of the machine's (endless)
memory I may remove the bottleneck there. On the other side the libpcap
"wants" some memory too and the system itself and so on. Sure, "Throw
memory and/or money on it"-approach will almost always solve the
problems one may have, but in this particular case I would prefer 
choosing another one ;) . I am simply trying to understand how is
everything working together as one complex system. The only information
source I have at the moment is the performance monitor.

Regards,
Edin


--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users