Snort mailing list archives
Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1
From: Victor Roemer <vroemer () sourcefire com>
Date: Wed, 20 Feb 2013 17:27:16 -0500
Dug through the code a bit, and reread some libpcap documentation -- seems this may be due to inconsistent behavior across different "systems" that interpret the use of "timeout" in different ways.\ Do you see this with other DAQ's as well? ("dump" daq is an exception, its based on pcap as well) Meanwhile, I'll open a bug so we can investigate this more thoroughly. - Victor On Wed, Feb 20, 2013 at 4:33 AM, <elof () sentor se> wrote:
On Tue, 19 Feb 2013, Victor Roemer wrote:Concerning your performance problems, you'll receive better feedback from the snort-users list, the snort-dev is primarily for receiving patches, discussing development etc..Thanks for the tip. I'm cross-posting the followups to snort-users as well. Your shutdown issue is interesting though. Can you send us the following1. Snort Version# snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.4 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/* *snort-team <http://www.snort.org/snort/snort-team> Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.7 2. DAQ version# snort --daq-list | grep pcap pcap(v3): readback live multi unpriv # pkg_info | grep daq daq-2.0.0 Also, how are you "shutting down" snort. Which signal's are you sendingit.I'm sending a normal TERM signal ('kill <pid>'). Nothing happens unless a) more packets are seen on the sniffing interface or b) I run 'kill -9 <pid>'. /Elof I know historically there have been problems with BSD's related tothread synchronization, etc.. and most notably we do some special things for OpenBSD to fix these. - Victor On Tue, Feb 19, 2013 at 10:41 AM, <elof () sentor se> wrote:I just found something strange: How to reproduce: On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort (compiled from ports). Snort is running fine (as a daemon). I replay a test-pcap with 1 000 000 packets at high speed. 'netstat -B' says: Pid Netif Flags Recv Drop Match Sblen Hblen Command 875 pflog0 p--s--l 0 0 0 0 0 pflogd 1757 mon0 p--s--- 999988 0 999988 0 0 snort So far everything's good. 0 drops. (the 12 missing packets were dropped externally (in a hub)) I stop snort. It terminates just fine within a second or two. Now I run: sysctl net.bpf.zerocopy_enable=1 Then I start snort again. Problem #1: I replay the same 1 000 000 packets at the same speed. 'netstat -B' now show: Pid Netif Flags Recv Drop Match Sblen Hblen Command 875 pflog0 p--s--l 0 0 0 0 0 pflogd 1912 mon0 p--s--- 999978 159417 999978 2096329 2095593 snort Aw! 159417 drops (16%)! This is reproduceable every time. Problem #2: When I now try to terminate the snort process, it won't die. It doesn't even start to syslog that it is shutting down. Nothing happen at all. After a few minutes I give up and kill it with -9. This problem only seem to appear if the monitoring NIC is completely silent (as mine are when I don't replay any test packets). If/when I start replaying some packets again, the snort process that I tried to kill (without -9) now finally terminates. Any ideas what is happening here? /Elof ------------------------------**------------------------------** ------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb> ______________________________**_________________ Snort-devel mailing list Snort-devel@lists.sourceforge.**net <Snort-devel () lists sourceforge net> https://lists.sourceforge.net/**lists/listinfo/snort-devel<https://lists.sourceforge.net/lists/listinfo/snort-devel> Archive: http://sourceforge.net/**mailarchive/forum.php?forum_**name=snort-devel<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 19)
- Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 Victor Roemer (Feb 19)
- Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 20)
- Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 Victor Roemer (Feb 20)
- Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 21)
- Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 20)
- Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 Victor Roemer (Feb 19)