[Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA enabled)

Sangwoo Moon swmoon at ...3253...
Tue Feb 7 12:30:50 EST 2012


Hi, thanks for your reply.

I'm transmitting TCP packet with payload 'No_attack' at random position
of packet, rest of payloads are filled with null characters.
I checked performance by calling gettimeofday() at packet callback
function and print the number each second.

--Sangwoo

2012-02-07 오후 5:10, 김무성 쓴 글:
>
> I think that it’s because depend on kind of traffic.
>
> What packet did generator send?
>
> And how did you check performance?
>
> *From:*Sangwoo Moon [mailto:swmoon at ...3253...]
> *Sent:* Saturday, February 04, 2012 1:59 PM
> *To:* snort-devel at lists.sourceforge.net
> *Subject:* [Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA
> enabled)
>
> Hi,
>
> I'm Sangwoo Moon from Korea.
>
> I'm trying to use multiple Snort processes on the top of PF_RING DAQ
> with DNA enabled.
>
> I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm
> using Snort version 2.9.2.1.
> I have Intel Xeon CPU which has 12 cores.
>
> I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto
> each cores.
> Then I ran 12 Snort processes like following bash script. ('-j' option
> in Snort is that I made it for CPU affinitization, 'snort -j 0' means
> run Snort process in core 0.)
>
> ==============================================
>
> #!/bin/bash
>
> for i in `seq 0 1 10`
> do
> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
> pfring -i dna2@$i -j $i > out/snort_$i.out &
> done
> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
> pfring -i dna2 at ...3254... -j 11 > out/snort11.out
>
> ==============================================
>
> I ran high speed packet generator on the other side with 1500 B
> packets, and I got some performance numbers.
>
> Sniffing only: 1.11 Gbps total
> Analyzing with HTTP rule-sets: 4.6 Gbps total
>
> I configured sniffing mode with immediately returning packet callback
> function, analyzing mode with full HTTP-related rule sets.
>
> I just don't understand why does analyzing mode is faster than
> sniffing mode.. Is there any mistakes or misconfigurations that I made?
>
> I'll be waiting for your response.
>
> Thanks and best regards,
> --Sangwoo Moon
>


-- 
-Sangwoo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120208/a4446e6f/attachment.html>


More information about the Snort-devel mailing list