[Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1

Victor Roemer vroemer at ...402...
Tue Feb 19 16:04:14 EST 2013


Hi elof,

Concerning your performance problems, you'll receive better feedback from
the snort-users list, the snort-dev is primarily for receiving patches,
discussing development etc..


Your shutdown issue is interesting though. Can you send us the following

1. Snort Version
2. DAQ version

Also, how are you "shutting down" snort. Which signal's are you sending it.


I know historically there have been problems with BSD's related to
thread synchronization, etc.. and most notably we do some special things
for OpenBSD to fix these.

- Victor

On Tue, Feb 19, 2013 at 10:41 AM, <elof at ...969...> wrote:

>
> I just found something strange:
>
> How to reproduce:
>
> On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort
> (compiled from ports).
>
> Snort is running fine (as a daemon).
> I replay a test-pcap with 1 000 000 packets at high speed.
>
> 'netstat -B' says:
>    Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
>    875 pflog0 p--s--l         0         0         0     0     0 pflogd
>   1757   mon0 p--s---    999988         0    999988     0     0 snort
>
> So far everything's good.
> 0 drops.
> (the 12 missing packets were dropped externally (in a hub))
>
>
> I stop snort.
> It terminates just fine within a second or two.
>
> Now I run:
> sysctl net.bpf.zerocopy_enable=1
>
> Then I start snort again.
>
>
> Problem #1:
> I replay the same 1 000 000 packets at the same speed.
> 'netstat -B' now show:
>    Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
>    875 pflog0 p--s--l         0         0         0     0     0 pflogd
>   1912   mon0 p--s---    999978    159417    999978 2096329 2095593 snort
>
> Aw! 159417 drops (16%)!
> This is reproduceable every time.
>
>
> Problem #2:
> When I now try to terminate the snort process, it won't die.
> It doesn't even start to syslog that it is shutting down. Nothing happen
> at all.
> After a few minutes I give up and kill it with -9.
>
> This problem only seem to appear if the monitoring NIC is completely
> silent (as mine are when I don't replay any test packets).
> If/when I start replaying some packets again, the snort process that I
> tried to kill (without -9) now finally terminates.
>
>
>
> Any ideas what is happening here?
>
> /Elof
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130219/28b96416/attachment.html>


More information about the Snort-devel mailing list