[Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA enabled)

Sangwoo Moon swmoon at ...3253...
Fri Feb 3 23:58:40 EST 2012


Hi,

I'm Sangwoo Moon from Korea.

I'm trying to use multiple Snort processes on the top of PF_RING DAQ 
with DNA enabled.

I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm 
using Snort version 2.9.2.1.
I have Intel Xeon CPU which has 12 cores.

I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto 
each cores.
Then I ran 12 Snort processes like following bash script. ('-j' option 
in Snort is that I made it for CPU affinitization, 'snort -j 0' means 
run Snort process in core 0.)

==============================================

#!/bin/bash

for i in `seq 0 1 10`
do
     sudo snort -c etc/snort.conf --daq-dir=/usr/local/lib/daq/ --daq 
pfring -i dna2@$i -j $i > out/snort_$i.out &
done
sudo snort -c etc/snort.conf --daq-dir=/usr/local/lib/daq/ --daq pfring 
-i dna2 at ...3254... -j 11 > out/snort11.out

==============================================

I ran high speed packet generator on the other side with 1500 B packets, 
and I got some performance numbers.

Sniffing only: 1.11 Gbps total
Analyzing with HTTP rule-sets: 4.6 Gbps total

I configured sniffing mode with immediately returning packet callback 
function, analyzing mode with full HTTP-related rule sets.

I just don't understand why does analyzing mode is faster than sniffing 
mode.. Is there any mistakes or misconfigurations that I made?

I'll be waiting for your response.

Thanks and best regards,
--Sangwoo Moon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120204/ce4517d0/attachment.html>


More information about the Snort-devel mailing list