Snort mailing list archives
Re: Snort 2.9, RHEL 5 and afpacket DAQ
From: Rich Graves <rcgraves () gmail com>
Date: Wed, 20 Oct 2010 11:44:36 -0500 (CDT)
I can reproduce this too, on a RHEL5 x86_64 system with 4GB RAM. I've tried kernels 2.6.18-194.17.1.el5 and 2.6.18-194.11.1.el5, so it's not the fault of any of the recent updates. The sum total is 49MB. I can't even run snort -T if snort -c is running. So far, performance doesn't look good. For several months, I was running Snort 2.8.6 linked with Phil Woods' MMAP patches to libpcap 0.98 configured with 300MB buffer: <0.1% to 5% packet drops (drops have jumped in the last 10 days without significant increase in byte or packet count; I haven't had the time to figure out the rules responsible) Snort 2.9.0 linked with libpcap 1.1.1, default pcap acquisition: 30% packet drops Snort 2.9.0 linked with libpcap 1.1.1, afpacket acquisiton with 49MB buffer: 9% packet drops This might not be an apples-to-apple comparison for various reasons, including recent RedHat kernel updates, the jump in drops that started before upgrading, and possible reporting variance (i.e., 2.8.6 and 2.9 might be counting different things). But when I revert from 2.9.0 to 2.8.6 I seem to get both fewer drops and more alerts. ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.9, RHEL 5 and afpacket DAQ Ralf Spenneberg (Oct 18)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ beenph (Oct 18)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Russ Combs (Oct 18)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Ralf Spenneberg (Oct 18)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Michael Altizer (Oct 18)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Ralf Spenneberg (Oct 19)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Ralf Spenneberg (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Russ Combs (Oct 18)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ beenph (Oct 18)
- <Possible follow-ups>
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Rich Graves (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Eoin Miller (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Mike Lococo (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ beenph (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Eoin Miller (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Rich Graves (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Russ Combs (Oct 20)