[Snort-devel] Snort.org Blog: Snort 2.9.1 beta coming soon!

Joel Esler jesler at ...402...
Mon Jun 13 16:08:48 EDT 2011


On Jun 13, 2011, at 4:01 PM, Russ Combs wrote:

> Ok, I get why stream reassembly is theoretically more efficient in a
> single thread because of CPU caching, etc., but I don't understand why
> packets still have to wait in line for a u2 entry to be written.  It
> seems like tossing output from the main thread into an async output
> thread would be pretty easy because you don't have to keep state and
> everything is one-way.  For alerting, the volume is not an issue, but
> as more analysts use packet tagging and now HTTP logging, the strain
> on that single main thread is going to cause packet drops for some if
> they're not extremely careful.  If I'm missing something, I'd be
> grateful for clarification.
> 
> Agreed.  I don't think this issue has reached a point where it is on our roadmap yet, but all the extra logging could lead to reevaluating sooner rather than later.  Thanks for your comments.

Martin,

We were just having a discussion on that this morning, so we'll keep it open.  Thanks for your input.  Let's us know that the community is concerned as well.

Joel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110613/72489240/attachment.html>


More information about the Snort-devel mailing list