[Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA enabled)

livio Ricciulli livio at ...3255...
Tue Feb 7 16:41:42 EST 2012


We have had very good luck with DNA; we are getting up 6.5 Gbps on a
dual X5670 using ICC and thousands of Snort rules
(see https://www.metaflows.com/technology/10-gbps-pf_ring-2/); so you
should be getting 3-4 Gigs of sustained Snort throughput with what you
have..
The only thing, make sure you have the generated traffic similar to real
traffic changing the source port for each simulated connection and
optimize the snort.conf

As far as the sniffing mode being slow it is probably because you are
running into disk I/O bottleneck or other unrelated issues. Can you send
the exact command you use for
sniffing mode?

On 02/07/2012 09:30 AM, Sangwoo Moon wrote:
> Hi, thanks for your reply.
>
> I'm transmitting TCP packet with payload 'No_attack' at random
> position of packet, rest of payloads are filled with null characters.
> I checked performance by calling gettimeofday() at packet callback
> function and print the number each second.
>
> --Sangwoo
>
> 2012-02-07 오후 5:10, 김무성 쓴 글:
>>
>> I think that it’s because depend on kind of traffic.
>>
>> What packet did generator send?
>>
>> And how did you check performance?
>>
>> *From:*Sangwoo Moon [mailto:swmoon at ...3253...]
>> *Sent:* Saturday, February 04, 2012 1:59 PM
>> *To:* snort-devel at lists.sourceforge.net
>> *Subject:* [Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA
>> enabled)
>>
>> Hi,
>>
>> I'm Sangwoo Moon from Korea.
>>
>> I'm trying to use multiple Snort processes on the top of PF_RING DAQ
>> with DNA enabled.
>>
>> I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm
>> using Snort version 2.9.2.1.
>> I have Intel Xeon CPU which has 12 cores.
>>
>> I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto
>> each cores.
>> Then I ran 12 Snort processes like following bash script. ('-j'
>> option in Snort is that I made it for CPU affinitization, 'snort -j
>> 0' means run Snort process in core 0.)
>>
>> ==============================================
>>
>> #!/bin/bash
>>
>> for i in `seq 0 1 10`
>> do
>> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
>> pfring -i dna2@$i -j $i > out/snort_$i.out &
>> done
>> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
>> pfring -i dna2 at ...3254... -j 11 > out/snort11.out
>>
>> ==============================================
>>
>> I ran high speed packet generator on the other side with 1500 B
>> packets, and I got some performance numbers.
>>
>> Sniffing only: 1.11 Gbps total
>> Analyzing with HTTP rule-sets: 4.6 Gbps total
>>
>> I configured sniffing mode with immediately returning packet callback
>> function, analyzing mode with full HTTP-related rule sets.
>>
>> I just don't understand why does analyzing mode is faster than
>> sniffing mode.. Is there any mistakes or misconfigurations that I made?
>>
>> I'll be waiting for your response.
>>
>> Thanks and best regards,
>> --Sangwoo Moon
>>
>
>
> -- 
> -Sangwoo
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120207/4701100a/attachment.html>


More information about the Snort-devel mailing list