[Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1

elof at ...969... elof at ...969...
Thu Feb 21 05:05:25 EST 2013


I only have "ipfw" daq apart from "pcap" and "dump".
I've never used it nor run snort in inline mode.

Thanks for opening a bug. I was expecting really positive results when 
upgrading to FreeBSD 9.1 and enabling zerocopy bpf, not *decreased* 
performance.


PS:
Speaking of bpf/daq buffers...
I think you should add a little bit of verbosity when initializing snort, 
printing out what bpf bufsize snort use.

Two examples:
Ex - User has not explicitly set any --daq-var buffer_size :
   ...
   pcap DAQ configured to passive mode.
   pcap DAQ buffer_size: 10 485 760 bytes (default OS bpf buf size)
   ...

Ex - User has set the --daq-var buffer_size to 512MB but the OS's 
net.bpf.maxbufsize only allow 128MB :
   ...
   pcap DAQ configured to passive mode.
   pcap DAQ buffer_size: 134 217 728 bytes (snort asked for 536 870 912 bytes)
   ...

/Elof


On Wed, 20 Feb 2013, Victor Roemer wrote:
> Dug through the code a bit, and reread some libpcap documentation -- seems
> this may be due to inconsistent behavior across different "systems" that
> interpret the use of "timeout" in different ways.\
>
> Do you see this with other DAQ's as well? ("dump" daq is an exception, its
> based on pcap as well)
>
> Meanwhile, I'll open a bug so we can investigate this more thoroughly.
>
> - Victor
>
> On Wed, Feb 20, 2013 at 4:33 AM, <elof at ...969...> wrote:
>
>>
>> On Tue, 19 Feb 2013, Victor Roemer wrote:
>>
>>> Concerning your performance problems, you'll receive better feedback from
>>> the snort-users list, the snort-dev is primarily for receiving patches,
>>> discussing development etc..
>>>
>>
>> Thanks for the tip.
>> I'm cross-posting the followups to snort-users as well.
>>
>>
>>
>>  Your shutdown issue is interesting though. Can you send us the following
>>> 1. Snort Version
>>>
>>
>> # snort --version
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.4 GRE (Build 40)
>>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/*
>> *snort-team <http://www.snort.org/snort/snort-team>
>>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>            Using libpcap version 1.3.0
>>            Using PCRE version: 8.32 2012-11-30
>>            Using ZLIB version: 1.2.7
>>
>>  2. DAQ version
>>>
>>
>> # snort --daq-list | grep pcap
>> pcap(v3): readback live multi unpriv
>>
>> # pkg_info | grep daq
>> daq-2.0.0
>>
>>
>>
>>  Also, how are you "shutting down" snort. Which signal's are you sending
>>> it.
>>>
>>
>> I'm sending a normal TERM signal ('kill <pid>'). Nothing happens unless a)
>> more packets are seen on the sniffing interface or b) I run 'kill -9 <pid>'.
>>
>> /Elof
>>
>>
>>
>>
>>
>>
>>
>>  I know historically there have been problems with BSD's related to
>>> thread synchronization, etc.. and most notably we do some special things
>>> for OpenBSD to fix these.
>>>
>>> - Victor
>>>
>>> On Tue, Feb 19, 2013 at 10:41 AM, <elof at ...969...> wrote:
>>>
>>>
>>>> I just found something strange:
>>>>
>>>> How to reproduce:
>>>>
>>>> On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort
>>>> (compiled from ports).
>>>>
>>>> Snort is running fine (as a daemon).
>>>> I replay a test-pcap with 1 000 000 packets at high speed.
>>>>
>>>> 'netstat -B' says:
>>>>    Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
>>>>    875 pflog0 p--s--l         0         0         0     0     0 pflogd
>>>>   1757   mon0 p--s---    999988         0    999988     0     0 snort
>>>>
>>>> So far everything's good.
>>>> 0 drops.
>>>> (the 12 missing packets were dropped externally (in a hub))
>>>>
>>>>
>>>> I stop snort.
>>>> It terminates just fine within a second or two.
>>>>
>>>> Now I run:
>>>> sysctl net.bpf.zerocopy_enable=1
>>>>
>>>> Then I start snort again.
>>>>
>>>>
>>>> Problem #1:
>>>> I replay the same 1 000 000 packets at the same speed.
>>>> 'netstat -B' now show:
>>>>    Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
>>>>    875 pflog0 p--s--l         0         0         0     0     0 pflogd
>>>>   1912   mon0 p--s---    999978    159417    999978 2096329 2095593 snort
>>>>
>>>> Aw! 159417 drops (16%)!
>>>> This is reproduceable every time.
>>>>
>>>>
>>>> Problem #2:
>>>> When I now try to terminate the snort process, it won't die.
>>>> It doesn't even start to syslog that it is shutting down. Nothing happen
>>>> at all.
>>>> After a few minutes I give up and kill it with -9.
>>>>
>>>> This problem only seem to appear if the monitoring NIC is completely
>>>> silent (as mine are when I don't replay any test packets).
>>>> If/when I start replaying some packets again, the snort process that I
>>>> tried to kill (without -9) now finally terminates.
>>>>
>>>>
>>>>
>>>> Any ideas what is happening here?
>>>>
>>>> /Elof
>>>>
>>>>
>>>> ------------------------------**------------------------------**
>>>> ------------------
>>>> Everyone hates slow websites. So do we.
>>>> Make your web apps faster with AppDynamics
>>>> Download AppDynamics Lite for free today:
>>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>
>>>> ______________________________**_________________
>>>> Snort-devel mailing list
>>>> Snort-devel at ...2402...**net <Snort-devel at lists.sourceforge.net>
>>>> https://lists.sourceforge.net/**lists/listinfo/snort-devel<https://lists.sourceforge.net/lists/listinfo/snort-devel>
>>>> Archive:
>>>> http://sourceforge.net/**mailarchive/forum.php?forum_**name=snort-devel<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
>>>>
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>>
>>>>
>>>
>




More information about the Snort-devel mailing list