[Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA enabled)

balaji patnala patnala003 at ...2499...
Wed Feb 8 01:52:08 EST 2012


Hi Sangwoo,

I dont think it is the proper way of doing Performance test, Try to
use IXIA or spirent devices for correct measurements..

bye,
balaji

On 2/7/12, Sangwoo Moon <swmoon at ...3253...> wrote:
> Hi, thanks for your reply.
>
> I'm transmitting TCP packet with payload 'No_attack' at random position
> of packet, rest of payloads are filled with null characters.
> I checked performance by calling gettimeofday() at packet callback
> function and print the number each second.
>
> --Sangwoo
>
> 2012-02-07 오후 5:10, 김무성 쓴 글:
>>
>> I think that it’s because depend on kind of traffic.
>>
>> What packet did generator send?
>>
>> And how did you check performance?
>>
>> *From:*Sangwoo Moon [mailto:swmoon at ...3253...]
>> *Sent:* Saturday, February 04, 2012 1:59 PM
>> *To:* snort-devel at lists.sourceforge.net
>> *Subject:* [Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA
>> enabled)
>>
>> Hi,
>>
>> I'm Sangwoo Moon from Korea.
>>
>> I'm trying to use multiple Snort processes on the top of PF_RING DAQ
>> with DNA enabled.
>>
>> I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm
>> using Snort version 2.9.2.1.
>> I have Intel Xeon CPU which has 12 cores.
>>
>> I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto
>> each cores.
>> Then I ran 12 Snort processes like following bash script. ('-j' option
>> in Snort is that I made it for CPU affinitization, 'snort -j 0' means
>> run Snort process in core 0.)
>>
>> ==============================================
>>
>> #!/bin/bash
>>
>> for i in `seq 0 1 10`
>> do
>> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
>> pfring -i dna2@$i -j $i > out/snort_$i.out &
>> done
>> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
>> pfring -i dna2 at ...3254... -j 11 > out/snort11.out
>>
>> ==============================================
>>
>> I ran high speed packet generator on the other side with 1500 B
>> packets, and I got some performance numbers.
>>
>> Sniffing only: 1.11 Gbps total
>> Analyzing with HTTP rule-sets: 4.6 Gbps total
>>
>> I configured sniffing mode with immediately returning packet callback
>> function, analyzing mode with full HTTP-related rule sets.
>>
>> I just don't understand why does analyzing mode is faster than
>> sniffing mode.. Is there any mistakes or misconfigurations that I made?
>>
>> I'll be waiting for your response.
>>
>> Thanks and best regards,
>> --Sangwoo Moon
>>
>
>
> --
> -Sangwoo
>
>




More information about the Snort-devel mailing list