[Snort-devel] Huge performance drop for Snort-2.9.4
abed mohammad kamaluddin
abedamu at ...2499...
Thu Feb 7 07:04:59 EST 2013
While upgrading from 126.96.36.199 to 2.9.4, there is huge performance drop.
I have compiled both sources using the same libraries, same compiler
options (default) and am running in the same environment using exactly
the same configuration and rule files. There is anything between 15 -
40 % decrease in performance depending upon the traffic.
I used Intel(R) Xeon(R) CPU X5650 @2.67GHz and daq pcap for the
tests. However live traffic also gives than 20% drop in performance.
Similar behavior is also seen on MIPs cpu. Here are the observations:
Pcap with no alerts, uniform large-sized half-million UDP pkts
snort-188.8.131.52 - 1692 Mbps
snort-2.9.4 - 1364 Mbps (~20% drop)
Pcap with one alert - non-uniform small-sized TCP pkts
snort-184.108.40.206 254 Mbps
snort-2.9.4 163 Mbps (~35 % drop)
This is easily reproducible using all types of traffic. Just to make
sure, I also tried 220.127.116.11 and it gave me good performance equivalent
to 18.104.22.168. So the reduction has crept up in 2.9.4 itself. I haven't
explored it, but maybe consolidation of IPv6 is the cause?
My earlier mail regarding optimization
(http://seclists.org/snort/2013/q1/195) has the same proportionate
performance enhancement on both 2.9.4 and 22.214.171.124.
Abed M K
More information about the Snort-devel