[Snort-users] Performance again
edin.dizdarevic at ...7509...
Tue Dec 23 08:56:02 EST 2003
Matt Kettler schrieb:
> At 10:55 AM 12/23/2003, Edin Dizdarevic wrote:
> 5. Other.
> with libpcap, packets are queued into a buffer for snort to read. That
> buffer is a fixed size. When snort reads a packet, it is removed from
> the buffer and that space is freed for new packets to arrive.
AFAIK there are two buffers: store and hold, at least according to Mr.
Stevens. This may not aply to Linux. Anyway, if we use Phil Wood's
libpcap it would be possible to virtually extend the buffer size. So
with that countermeasure we give Snort more time to finish the tasks
pending. Correct so far?
But if we go a step further, there are also some Snort parameters which
influence the amount of the time Snort has for the individual tasks
themselves. If I give the preprocessors more of the machine's (endless)
memory I may remove the bottleneck there. On the other side the libpcap
"wants" some memory too and the system itself and so on. Sure, "Throw
memory and/or money on it"-approach will almost always solve the
problems one may have, but in this particular case I would prefer
choosing another one ;) . I am simply trying to understand how is
everything working together as one complex system. The only information
source I have at the moment is the performance monitor.
More information about the Snort-users