[Snort-devel] performance: CheckDstIp
cmg at ...402...
Tue Mar 19 11:49:03 EST 2002
cm at ...1206... (Christian Mock) writes:
> while profiling snort, I found an interesting fact today: CheckDstIp is
> number one in the profiling chart.
Yuppers and it's called a lot! One of the things we're working on is
optimizing out the detection enigne so that we don't have to call it
nearly as often.
> This is snort 1.8.4, which in this configuration (8 CIDR blocks as $HOME_NET
> plus about 1000 rules) manages to use all CPU on a celeron/900 box with
> only 4 MBits of monitored network traffic (1000 packets/sec).
Back when snort started, that many CIDR blocks wasn't a
consideration. Are they all non-contigous class C's? or can you
represent them better as a /22?
> Weeding out some unused networks from $HOME_NET brought the list down to
> 4 CIDR blocks and CheckDstIp to 52% of the total run time.
> I certainly would have expected the pattern matching functions and the
> more complex plugins to be at the top of the profile output...
> What I tried now is to swap the order of the PortToFunc and AddrToFunc calls
> in SetupRTNFuncList, because CheckDstPortEqual seems to be a much cheaper
> function call than CheckDstIp, even if we divide the "self" number above
> by eight. A new profiling run with the modified binary shows it's getting
> much faster:
> % cumulative self self total
> total CPU time is 130 vs. 75 seconds (note that both profiling runs were
> taken "off the network", i.e. conditions are not completely equal).
> Now the interesting question is: is the change I made (patch is below)
> valid, or does it break something? I don't grok the snort code enough
> to judge this...
It should be valid; All the checks combine together anyway so that
should be a good change for the current design. Actually, that is
probably a good general optimization as well. Thanks for point it out.k
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-devel