[Snort-devel] Snort 3 Architecture

Russ rucombs at cisco.com
Sun Jul 23 13:40:16 EDT 2017


Hey Simon,

Snort 3 currently has one thread per packet source, whether that be a 
network interface or pcap.  You can configure that with -z or 
--max-packet-threads.  All processing of a given packet is within the 
thread associated with its source.  You can set CPU affinity for packet 
threads via the process module.  The architecture will evolve over time 
to support hardware offload and elephant flows (too big for a single core).

Please keep us posted on your results or if you have any questions about 
tuning for comparison with Snort 2.

Thanks
Russ

On 7/23/17 4:03 AM, Simon Dzn via Snort-devel wrote:
> Hey all,
>
> I am writing an article regarding to Snort 3 performance and I'm 
> having trouble finding a reliable resource on the current architecture.
> I saw in the Snort 3 documentation the difference in the packet 
> processing but couldn't find out if you are creating a thread for each 
> packet or several threads for detection.
>
> Thanks and have a great day!
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170723/826aca6d/attachment.html>


More information about the Snort-devel mailing list