Snort mailing list archives
Re: high packet loss - low throughput
From: beenph <beenph () gmail com>
Date: Sun, 21 Jul 2013 08:19:15 -0400
Disable hyperthreading. Balance your IRQ's so network irq are cpu bound. bind each instance of snort to each cpu its listening network interface is bound. On Sun, Jul 21, 2013 at 6:16 AM, Michal Purzynski <michal () rsbac org> wrote:
On 7/21/13 2:22 AM, Joel Esler wrote: On Jul 20, 2013, at 6:46 PM, Michal Purzynski <michal () rsbac org> wrote: The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find it actualy hard to believe as the "empty" snort used to do around 250-300Mbit/sec per core here. Empty as in no rules at all. Even more. But we have a dedicated appliance specifically tuned with special drivers to run Snort very fast. You are doing this, I assume on commodity hardware, on a stock OS, running many things (Security Onion) Not really, SO is so wonderful you can enable and disable functionality on demand, and so I've done. The box is running snort and netsniff-ng only, has around 20 processes of snort (24 execution threads with HT enabled). Still - 45Mbit/sec per instance with packet loss is disappointing. And 100 would be too. Also, I'm running Intel and pf_ring, can try a Myricom (and not pf_ring). I won't try anything more expensive like FPGA accelerated cards, since I find them too limited and having no real advantage over Myricom and a lot of downsides. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: high packet loss - low throughput, (continued)
- Re: high packet loss - low throughput Michal Purzynski (Jul 21)
- Re: high packet loss - low throughput Joel Esler (Jul 21)
- Re: high packet loss - low throughput Michal Purzynski (Jul 21)
- Re: high packet loss - low throughput beenph (Jul 21)
- Re: high packet loss - low throughput Joel Esler (Jul 21)
- Re: high packet loss - low throughput Michal Purzynski (Jul 21)
- Re: high packet loss - low throughput Michal Purzynski (Jul 22)
- Re: high packet loss - low throughput Livio Ricciulli (Jul 22)
- Re: high packet loss - low throughput Michal Purzynski (Jul 23)
- Re: high packet loss - low throughput Livio Ricciulli (Jul 23)
- Re: high packet loss - low throughput beenph (Jul 21)
- Re: high packet loss - low throughput Michal Purzynski (Jul 21)
- Re: high packet loss - low throughput beenph (Jul 21)
- Re: high packet loss - low throughput Michal Purzynski (Jul 21)
- Re: high packet loss - low throughput Doug Burks (Jul 21)
- Re: high packet loss - low throughput waldo kitty (Jul 19)
- Re: high packet loss - low throughput Michal Purzynski (Jul 21)