[Snort-devel] Threaded snort

tlewis at ...255... tlewis at ...255...
Thu Jun 14 11:18:59 EDT 2001


I strongly suspect that snort v2 will support threading.  The main problem
with that whole issue, though, is that the majority of the cost comes in
acquiring the packets, and all of the packet acquisition mechanisms, from
pcap to netfilter to divert, and strongly single-threaded.  Until those
interfaces, which are external to snort, are updated to be multi-threaded,
or until other, threaded packet acquisition mechanisms are built to
replace them, then threading won't give you the huge speedup that you
would think that it would, unless you're just looking for a speedup
on output processing.  Of course, all output methods I know of are
single-threaded, too, but hey, on a 2-way, that's one cpu for packet
acquisition and one cpu for reporting, with the actual matching just
sort of happening wherever it's convenient.  8^)

While we're on the subject, I don't see good prospects of the netfilter
guys making netfilter particularly fast anytime soon.  Anyone out there
ever done any kernel hacking?  Let's pick a linux device driver (I'm
partial to the intel eepro100, since that's what's on my box) and hack
it up to allow snort to mmap the ethernet card's dma target, the receive
buffer, directly.  Now that would let you be SMP and really fly.

--
Todd Lewis
tlewis at ...255...

On Thu, 14 Jun 2001, Sjsnort wrote:

> Hi,
> 
> In a recent discussion on the users list someone claimed that the developers
> aren't planning thread snort in future versions also. Is it true? I thought
> Snort 2.0 would be threaded.
> 
> Siddhartha
> 
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list