[Snort-users] 2.1.3rc1 Performance RESULTS

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Fri May 21 11:39:09 EDT 2004

Ok, try these following things:  I've included some notes below

This is from /etc/system (I've included the comments from above it)

*Increasing Synchronized Queues to Improve Network Performance
*  To increase the size of STREAMS synchronized queues, thereby
*  increasing network performance, add the sq_max_size variable to
*  the /etc/system file.
*       set sq_max_size=n
*  Set the sq_max_size variable to n, where n is the maximum number
*  of messages that are allowed for each IP queue.
*  values should be incremented in small steps ( 10 ) and never set
higher than 100.

set sq_max_size=100

The following we run in a startup script:

/usr/sbin/ndd -set /dev/tcp tcp_max_buf 8194304
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 8194304 

The first one lets more packets sit in each queue.  Setting this high
would make things like web connections to that server seem a little
slower, but will greatly improve high bandwidth sniffing.  The second
changes the high water mark for the buffers in whatever protocol.
(tcp_<whatever> can be changed to udp_<whatever> and works identically).
Of note, xmit_hiwat (alternate to recv_hiwait) is unimportant on links
such as spans, but might be considered if you're actually using that
interface to route traffic.

There may be some other changes that we've done.  However, those 3
settings posted gave us the greatest effect on our end ability to sniff
traffic at high rates.

These settings shouldn't be necessary on a system like a Sun
V210/240/250.. (fire systems)... etc when installed with Solaris 9.  The
drivers for the built-in bge interface(s) are excellent, and the kernel
handles changing between polling/interrupts in brilliant fashion.  

-----Original Message-----
From: Gary_Portnoy at ...11307... [mailto:Gary_Portnoy at ...11307...] 
Sent: Friday, May 21, 2004 9:00 AM
To: Kreimendahl, Chad J; Dirk Geschke; Darren Webb
Cc: snort-users at lists.sourceforge.net; Daniel J. Roelker
Subject: [Snort-users] 2.1.3rc1 Performance RESULTS

So last night I ran the following test:

Captured 1 million packets off the wire, verified the capture with 
Connected my snort sensor (Sun Ultra-2, 1024MB RAM, 2CPU, Quad Ethernet 
card) with a crossover cable to a Sun V120.

More information about the Snort-users mailing list