[Snort-users] cpu usage by component

Matt Kettler mkettler at ...4108...
Tue Sep 9 08:46:54 EDT 2003

At 06:19 PM 9/8/2003 -0400, Oliver Dain wrote:
>The question is, relative to one another, how much time does the rules 
>the various cpu intensive preprocessors and the user/kernal boundry crossing
>require?  Does stream4 use 10 times as much cpu as the rules engine? Is most
>of the cpu time spent getting packets from the NIC, through the kernel and
>into user space?

I can't speak authoritatively, however based on my experience:

conversation and portscan2 as a collective pair seem to use more memory and 
CPU than anything else in snort by a factor of at least 4. Based on what 
they do I can't quite understand why, but on low cpu power systems these 
two cause extreme packet loss (>10%), even when monitoring a mere 2mbit/sec 
link on a p-133 that was dedicated to snort. Disabling those two caused the 
packet loss rate to drop by a factor of 100 (from >10% to approximately 0.1%).

Based on what it does, I would venture to guess the stream4 preprocessor is 
about as much CPU time as a few case-insensitive content searches. However, 
I would have expected the same of conversation and portscan2 and clearly 
their usage is significantly higher. However, stream4 doesn't seem to 
present a problem for low-end hardware, so my expectations are probably 
within reason.

Getting packets from the NIC can be either easy or extremely painful 
depending on your NIC design. However assuming you're using something of 
reasonably efficient design (ie: not a realtek chipset) this shouldn't be 
that much of the CPU time. Cross-overs from kernel to user-space are a bit 
pricey, but the rule engine should be considerably more expensive CPU wise.

I know I'm not giving you any hard numbers, by my expectations would be 
that the CPU usage would probably break down something along these lines, 
ignoring conversation/portscan2 which would easily make these numbers 

rules engine - 70% (assuming a fair amount of content searching caused by 
the traffic profile).
stream4 - 15% (assuming some processing an a memcopy to buffer the data)
kernel copy to userspace - 10% (assuming most of the work is a memcopy and 
a context switch)
nic management 5% (assuming that a double-copy isn't required due to 
inefficient busmastering alignments)

More information about the Snort-users mailing list