[Snort-devel] Huge performance drop for Snort-2.9.4
abed mohammad kamaluddin
abedamu at ...2499...
Thu Feb 7 07:04:59 EST 2013
While upgrading from 18.104.22.168 to 2.9.4, there is huge performance drop.
I have compiled both sources using the same libraries, same compiler
options (default) and am running in the same environment using exactly
the same configuration and rule files. There is anything between 15 -
40 % decrease in performance depending upon the traffic.
I used Intel(R) Xeon(R) CPU X5650 @2.67GHz and daq pcap for the
tests. However live traffic also gives than 20% drop in performance.
Similar behavior is also seen on MIPs cpu. Here are the observations:
Pcap with no alerts, uniform large-sized half-million UDP pkts
snort-22.214.171.124 - 1692 Mbps
snort-2.9.4 - 1364 Mbps (~20% drop)
Pcap with one alert - non-uniform small-sized TCP pkts
snort-126.96.36.199 254 Mbps
snort-2.9.4 163 Mbps (~35 % drop)
This is easily reproducible using all types of traffic. Just to make
sure, I also tried 188.8.131.52 and it gave me good performance equivalent
to 184.108.40.206. So the reduction has crept up in 2.9.4 itself. I haven't
explored it, but maybe consolidation of IPv6 is the cause?
My earlier mail regarding optimization
(http://seclists.org/snort/2013/q1/195) has the same proportionate
performance enhancement on both 2.9.4 and 220.127.116.11.
Abed M K
More information about the Snort-devel