Snort mailing list archives
Re: Unusual Snort performance stats
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 23 Feb 2010 09:59:55 +1300
On 02/23/2010 05:29 AM, Matt Watchinski wrote:
1. Outstanding means that packets never got out of the ethernet card before they got dropped. IE pcap didn't get to them before they disappeared.
Well that does my mind in. Can you explain to the uninitiated how snort can know a packet was received by an Ethernet card, but then dropped before it got out of the card? Does that mean there are two ways to drop packets? Am I correct in saying that "dropped packets" implies the OS (ie pcap) received the packet but dropped it due to snort/userspace being too busy to extract all the buffer within some time period, but "outstanding" is just as bad? I've only ever noticed the "Dropped" field before :-(
This stats means that some percentage of your traffic contains protocols that snort doesn't do anything with. Tracking these down and add BPF's to ignore them could improve performance.
That's good advise we could all use I'm sure!
3. Are you using CPU affinity to lock the snort process to a specific CPU? If not this is something to try. If snort bounces to another CPU then the cache line is reset and performance can suffer.
Are you saying that there's real value in ensuring snort remains on the same CPU - even over restarts? Why would the cache matter? I mean, restarting snort means your IDS is deactivated until it's fully operational again - does keeping it on the same CPU simply minimize that outage, or do you mean something else. Lots of yummy stuff in your message to chew on :-) Jason -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unusual Snort performance stats Willst Mail (Feb 22)
- Re: Unusual Snort performance stats Matt Watchinski (Feb 22)
- Re: Unusual Snort performance stats Jason Haar (Feb 22)
- Re: Unusual Snort performance stats Matt Watchinski (Feb 22)
- Re: Unusual Snort performance stats Jason Haar (Feb 22)
- Re: Unusual Snort performance stats Ryan Jordan (Feb 22)
- Re: Unusual Snort performance stats Willst Mail (Feb 22)
- Re: Unusual Snort performance stats Willst Mail (Feb 23)
- Re: Unusual Snort performance stats Willst Mail (Feb 22)
- Re: Unusual Snort performance stats Matt Watchinski (Feb 22)