[Snort-devel] Performance comparison between V2 and V3 (rev1)

Min-gyu Jeon jammingyu9 at gmail.com
Tue Feb 26 00:19:54 EST 2019


Some updates here...
Test conditions are all same as before but mentioned.

Trial 1. *(change config)*
: Applied the latest perf/3.0, perf/2.9 config provided by snort_demo repo
(pulled on 2019-02-25)
=>  SnortV3 has shown better performance (more than 250%). On the other
side, V2 perf has gone poor (below 50%).

V3 vs V2 (1 thread/process)

V3: 42K pps (CPU 100%)
V2: 6K pps (CPU 100%)

V3 vs V2 (24 threads/process)

=> V3: 520K pps (CPU 2300%)
=> V2: 170K pps (CPU 2380%)

Trial 2. *(change in stream_tcp->ports value only in V2, could not in V3)*
Adjusting some config variables, I figured out that the reason for V2's
decrease in performance was
stream_tcp's value "ports all". (reassemble on all ports)
If I **apply the default setting for stream_tcp->ports (reassemble only on
specific ports) of v2.9.11.1**,
the result is as below. (In V3 I could not set up stream_tcp.port/ports)

V3 vs V2 (1 thread/process)

V3: 42K pps (CPU 100%)
V2: 22K pps (CPU 100%)

V3 vs V2 (24 threads/process)

=> V3: 550K pps (CPU 2200%)
=> V2: 440K pps (CPU 2390%)

If the above reasoning is right, the left job is to figure out what ports
are V3 listening in default.
If V3 is reassembling all ports, Trial 1's result seems right.
If not, Trial 2's results seems an approximate. (need more adjustment on
ports in this case)
Any idea/feedbacks will be very helpful.



2019년 2월 22일 금요일, Russ <rucombs at cisco.com>님이 작성:

> OK.  Be sure to pull the latest fixes 2.9/repeat.sh and adds some
> validation scripts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190226/07c8c8b6/attachment.html>

More information about the Snort-devel mailing list