[Snort-users] Re: *BSD performance (was:Correct version of libpcap?)

Bradberry, John BradberryJ at ...2147...
Thu Feb 5 07:03:02 EST 2004

Be sure to consider the DEVICE_POLLING kernel option on a BSD system.
We're using it in production on BSD 4.9 systems.  The attached notes
summarize material I've found online that has been contributed by
others.  I hope you'll find it to be useful.

Best regards.

John Bradberry
The Greentree Group

DEVICE_POLLING is a BSD kernel option that can improve the machine's
packet capture ability.

It can be enabled on BSD machines using network cards that support these

* dc -- DEC/Intel 21143 and clone 10/100 ethernet driver
* fxp -- Intel EtherExpress Pro/100B ethernet device driver
* rl -- RealTek 8129/8139 fast ethernet device driver
* sis -- SiS 900, SiS 7016 and NS DP83815 fast ethernet device driver

DEVICE_POLLING changes the method through which data gets from the
network card to the kernel.  Normally, each time the network card needs
attention (for example when it receives a packet), it generates an
interrupt request. The request causes a context switch and a call to an
interrupt handler. A context switch is when the CPU and kernel have to
switch from user land (the user's programs or servers), and kernel land
(dealing with device drivers, hardware, and other kernel-bound tasks).
The last few years have seen significant improvements in the efficiency
of context switching but it is still an extremely expensive operation.
Furthermore, the amount of time the system can have to spend when
dealing with an interrupt can be almost limitless.  It is completely
possible for an interrupt to never free the kernel, leaving your machine

The DEVICE_POLLING option changes this behavior.  It causes the kernel
to poll the network card itself at certain predefined times: at defined
intervals, during idle loops, or on clock interrupts.  This allows the
kernel to decide when it is most efficient to poll a device for updates
and for how long, and ultimately results in a significant increase in

If you want to take advantage of DEVICE_POLLING, you need to compile two
options in to the kernel:

options HZ=1000

The first line enables DEVICE_POLLING and the second device slows the
clock interrupts to 1000 times per second.  You need to set the HZ
option, because in the worst case your network card will be polled on
clock ticks.  If the clock ticks very fast, you would spend a lot of
time polling devices which defeats the purpose of using this kernel

The DEVICE_POLLING option by default does not work with SMP enabled
kernels. When the author of the DEVICE_POLLING code initially committed
it he admits he was unsure of the benefits of the feature in a
multiple-CPU environment, as only one CPU would be doing the polling.
However, many administrators have found that there is a significant
advantage to DEVICE_POLLING even in SMP enabled kernels and that it
works with no problems at all.

When compiling an SMP kernel with DEVICE_POLLING, edit the file:
/usr/src/sys/kern/kern_poll.c and remove the following lines:

#ifdef SMP
#include "opt_lint.h"
#error DEVICE_POLLING is not compatible with SMP

Finally we need to change one sysctl parameter to enable this feature.
You can either enable polling at runtime or at boot. If you want to
enable it at boot, add this line to the end of your /etc/sysctl.conf:


More information can be found in the kernel LINT file, which contains
all possible kernel options:


-----Original Message-----
From: Martin Olsson [mailto:elof at ...6680...] 
Sent: Wednesday, February 04, 2004 3:14 AM
To: Christian Ehlen
Cc: snort-users mailinglist
Subject: [Snort-users] Re: *BSD performance (was:Correct version of

On Tue, 3 Feb 2004, Christian Ehlen wrote:
> I think a *BSD system can also increase performance.

Do you have any hints of how to boost the performance? I'm running snort
on a non-tweaked FreeBSD 4.9 system.

What kind of tweaks can/should I do?


More information about the Snort-users mailing list