[Snort-devel] Huge performance drop for Snort-2.9.4
abed mohammad kamaluddin
abedamu at ...2499...
Fri Feb 8 04:25:29 EST 2013
I have not used any special option for compiling the sources. Simply
provided path to my libraries - Both sources are compiled using same
options and libraries:
make; make install
schedtool -a 0x2 -e ./bin/snort -H --daq pcap -r pcapfile -c
snortRuleDir/snort.conf -N -l log
Abed M K
On Fri, Feb 8, 2013 at 1:38 AM, Bhagya Bantwal <bbantwal at ...402...> wrote:
> Can you please send us the configure options you used with both releases?
> ipv6 was enabled by default in 2.9.1 and hardened in the release 2.9.4.
> On Thu, Feb 7, 2013 at 7:04 AM, abed mohammad kamaluddin <abedamu at ...2499...>
>> While upgrading from 126.96.36.199 to 2.9.4, there is huge performance drop.
>> I have compiled both sources using the same libraries, same compiler
>> options (default) and am running in the same environment using exactly
>> the same configuration and rule files. There is anything between 15 -
>> 40 % decrease in performance depending upon the traffic.
>> I used Intel(R) Xeon(R) CPU X5650 @2.67GHz and daq pcap for the
>> tests. However live traffic also gives than 20% drop in performance.
>> Similar behavior is also seen on MIPs cpu. Here are the observations:
>> Pcap with no alerts, uniform large-sized half-million UDP pkts
>> snort-188.8.131.52 - 1692 Mbps
>> snort-2.9.4 - 1364 Mbps (~20% drop)
>> Pcap with one alert - non-uniform small-sized TCP pkts
>> snort-184.108.40.206 254 Mbps
>> snort-2.9.4 163 Mbps (~35 % drop)
>> This is easily reproducible using all types of traffic. Just to make
>> sure, I also tried 220.127.116.11 and it gave me good performance equivalent
>> to 18.104.22.168. So the reduction has crept up in 2.9.4 itself. I haven't
>> explored it, but maybe consolidation of IPv6 is the cause?
>> My earlier mail regarding optimization
>> (http://seclists.org/snort/2013/q1/195) has the same proportionate
>> performance enhancement on both 2.9.4 and 22.214.171.124.
>> Abed M K
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> Please visit http://blog.snort.org for the latest news about Snort!
More information about the Snort-devel