[Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1

elof at ...969... elof at ...969...
Wed Feb 20 04:33:25 EST 2013


On Tue, 19 Feb 2013, Victor Roemer wrote:
> Concerning your performance problems, you'll receive better feedback from
> the snort-users list, the snort-dev is primarily for receiving patches,
> discussing development etc..

Thanks for the tip.
I'm cross-posting the followups to snort-users as well.


> Your shutdown issue is interesting though. Can you send us the following
> 1. Snort Version

# snort --version
    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.4 GRE (Build 40)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
            Using libpcap version 1.3.0
            Using PCRE version: 8.32 2012-11-30
            Using ZLIB version: 1.2.7

> 2. DAQ version

# snort --daq-list | grep pcap
pcap(v3): readback live multi unpriv

# pkg_info | grep daq
daq-2.0.0


> Also, how are you "shutting down" snort. Which signal's are you sending it.

I'm sending a normal TERM signal ('kill <pid>'). Nothing happens unless a) 
more packets are seen on the sniffing interface or b) I run 'kill -9 
<pid>'.

/Elof






> I know historically there have been problems with BSD's related to
> thread synchronization, etc.. and most notably we do some special things
> for OpenBSD to fix these.
>
> - Victor
>
> On Tue, Feb 19, 2013 at 10:41 AM, <elof at ...969...> wrote:
>
>>
>> I just found something strange:
>>
>> How to reproduce:
>>
>> On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort
>> (compiled from ports).
>>
>> Snort is running fine (as a daemon).
>> I replay a test-pcap with 1 000 000 packets at high speed.
>>
>> 'netstat -B' says:
>>    Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
>>    875 pflog0 p--s--l         0         0         0     0     0 pflogd
>>   1757   mon0 p--s---    999988         0    999988     0     0 snort
>>
>> So far everything's good.
>> 0 drops.
>> (the 12 missing packets were dropped externally (in a hub))
>>
>>
>> I stop snort.
>> It terminates just fine within a second or two.
>>
>> Now I run:
>> sysctl net.bpf.zerocopy_enable=1
>>
>> Then I start snort again.
>>
>>
>> Problem #1:
>> I replay the same 1 000 000 packets at the same speed.
>> 'netstat -B' now show:
>>    Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
>>    875 pflog0 p--s--l         0         0         0     0     0 pflogd
>>   1912   mon0 p--s---    999978    159417    999978 2096329 2095593 snort
>>
>> Aw! 159417 drops (16%)!
>> This is reproduceable every time.
>>
>>
>> Problem #2:
>> When I now try to terminate the snort process, it won't die.
>> It doesn't even start to syslog that it is shutting down. Nothing happen
>> at all.
>> After a few minutes I give up and kill it with -9.
>>
>> This problem only seem to appear if the monitoring NIC is completely
>> silent (as mine are when I don't replay any test packets).
>> If/when I start replaying some packets again, the snort process that I
>> tried to kill (without -9) now finally terminates.
>>
>>
>>
>> Any ideas what is happening here?
>>
>> /Elof
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_feb
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>




More information about the Snort-devel mailing list