[Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA enabled)

Livio Ricciulli livio at ...3255...
Wed Feb 8 04:00:17 EST 2012


On 2/7/2012 1:41 PM, livio Ricciulli wrote:
> We have had very good luck with DNA; we are getting up 6.5 Gbps on a
> dual X5670 using ICC and thousands of Snort rules
> (see https://www.metaflows.com/technology/10-gbps-pf_ring-2/); so you
> should be getting 3-4 Gigs of sustained Snort throughput with what you
> have..
> The only thing, make sure you have the generated traffic similar to real
> traffic changing the source port for each simulated connection and
> optimize the snort.conf
>
> As far as the sniffing mode being slow it is probably because you are
> running into disk I/O bottleneck or other unrelated issues. Can you send
> the exact command you use for
> sniffing mode?
> On 02/07/2012 09:30 AM, Sangwoo Moon wrote:
>> Hi, thanks for your reply.
>>
>> I'm transmitting TCP packet with payload 'No_attack' at random
>> position of packet, rest of payloads are filled with null characters.
>> I checked performance by calling gettimeofday() at packet callback
>> function and print the number each second.
>>
>> --Sangwoo
>>
>> 2012-02-07 오후 5:10, 김무성 쓴 글:
>>>
>>> I think that it’s because depend on kind of traffic.
>>>
>>> What packet did generator send?
>>>
>>> And how did you check performance?
>>>
>>> *From:*Sangwoo Moon [mailto:swmoon at ...3253...]
>>> *Sent:* Saturday, February 04, 2012 1:59 PM
>>> *To:* snort-devel at lists.sourceforge.net
>>> *Subject:* [Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA
>>> enabled)
>>>
>>> Hi,
>>>
>>> I'm Sangwoo Moon from Korea.
>>>
>>> I'm trying to use multiple Snort processes on the top of PF_RING DAQ
>>> with DNA enabled.
>>>
>>> I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm
>>> using Snort version 2.9.2.1.
>>> I have Intel Xeon CPU which has 12 cores.
>>>
>>> I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto
>>> each cores.
>>> Then I ran 12 Snort processes like following bash script. ('-j'
>>> option in Snort is that I made it for CPU affinitization, 'snort -j
>>> 0' means run Snort process in core 0.)
>>>
>>> ==============================================
>>>
>>> #!/bin/bash
>>>
>>> for i in `seq 0 1 10`
>>> do
>>> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
>>> pfring -i dna2@$i -j $i > out/snort_$i.out &
>>> done
>>> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
>>> pfring -i dna2 at ...3254... -j 11 > out/snort11.out
>>>
>>> ==============================================
>>>
>>> I ran high speed packet generator on the other side with 1500 B
>>> packets, and I got some performance numbers.
>>>
>>> Sniffing only: 1.11 Gbps total
>>> Analyzing with HTTP rule-sets: 4.6 Gbps total
>>>
>>> I configured sniffing mode with immediately returning packet
>>> callback function, analyzing mode with full HTTP-related rule sets.
>>>
>>> I just don't understand why does analyzing mode is faster than
>>> sniffing mode.. Is there any mistakes or misconfigurations that I made?
>>>
>>> I'll be waiting for your response.
>>>
>>> Thanks and best regards,
>>> --Sangwoo Moon
>>>
>>
>>
>> -- 
>> -Sangwoo
>>
>>
>> ------------------------------------------------------------------------------
>> Keep Your Developer Skills Current with LearnDevNow!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-d2d
>>
>>
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>


-- 
Livio Ricciulli
MetaFlows Inc.
(408) 835-5005

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120208/09893100/attachment.html>


More information about the Snort-devel mailing list