[Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1

elof at ...969... elof at ...969...
Tue Feb 19 10:41:55 EST 2013


I just found something strange:

How to reproduce:

On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort 
(compiled from ports).

Snort is running fine (as a daemon).
I replay a test-pcap with 1 000 000 packets at high speed.

'netstat -B' says:
   Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
   875 pflog0 p--s--l         0         0         0     0     0 pflogd
  1757   mon0 p--s---    999988         0    999988     0     0 snort

So far everything's good.
0 drops.
(the 12 missing packets were dropped externally (in a hub))


I stop snort.
It terminates just fine within a second or two.

Now I run:
sysctl net.bpf.zerocopy_enable=1

Then I start snort again.


Problem #1:
I replay the same 1 000 000 packets at the same speed.
'netstat -B' now show:
   Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
   875 pflog0 p--s--l         0         0         0     0     0 pflogd
  1912   mon0 p--s---    999978    159417    999978 2096329 2095593 snort

Aw! 159417 drops (16%)!
This is reproduceable every time.


Problem #2:
When I now try to terminate the snort process, it won't die.
It doesn't even start to syslog that it is shutting down. Nothing happen 
at all.
After a few minutes I give up and kill it with -9.

This problem only seem to appear if the monitoring NIC is completely 
silent (as mine are when I don't replay any test packets).
If/when I start replaying some packets again, the snort process that I 
tried to kill (without -9) now finally terminates.



Any ideas what is happening here?

/Elof




More information about the Snort-devel mailing list