[Snort-users] 2.1.3rc1 Performance RESULTS
Gary_Portnoy at ...11307...
Gary_Portnoy at ...11307...
Fri May 21 12:21:01 EDT 2004
I've trimmed some people from the To list, didn't want to keep flooding
Thanks for the tuning tips. I've been playing around with different
settings since morning, and had increased sq_max_size to first to 50 then
to 100. This has prevented the norcvbuf and nocanput counters from
"netstat -k" from going up any higher. They are currently holding at
their values (around 330 MILLION for each. I hate to think how many
events I missed). However, Snort statistics still keep on reporting
dropped packets, pretty much at the same rate as it was before. I
increased the tcp_max_buf and the tcp_recv_hiwat values to 4 times their
present size. They are at 4194304 and 262144 respectively. I don't want
to do too much too fast, but I haven't seen any changes yet.
What bothers me is that now that nocanput and norcvbuf have stopped going
up, why is Snort still dropping packets??? I wonder if now it is
something within Snort, since it seems that my machine is finally keeping
up with the network load.
Can someone from sourcefire/snort team comment on how the performance
statistics (both perfmon processor and after receiving a USR1 signal) are
created? How reliable are they? Do they report just what they receive
from libpcap, or would they report as "dropped" packets that they received
from libpcap, but couldn't process for whatever reason.
I just sent 'kill -USR1 snort.pid' and here are the latest stats:
Snort analyzed 20223045 out of 21439997 packets, dropping 1216952(5.676%)
That's after running for about 3 hours.
Information Security Analyst
"Kreimendahl, Chad J" <Chad.Kreimendahl at ...4716...>
05/21/2004 02:38 PM
To: <Gary_Portnoy at ...11307...>, "Dirk Geschke" <Dirk at ...10648...>,
"Darren Webb" <spyder007 at ...6436...>
cc: <snort-users at lists.sourceforge.net>, "Daniel J. Roelker"
<droelker at ...1935...>
Subject: RE: [Snort-users] 2.1.3rc1 Performance RESULTS
Ok, try these following things: I've included some notes below
This is from /etc/system (I've included the comments from above it)
*Increasing Synchronized Queues to Improve Network Performance
* To increase the size of STREAMS synchronized queues, thereby
* increasing network performance, add the sq_max_size variable to
* the /etc/system file.
* set sq_max_size=n
* Set the sq_max_size variable to n, where n is the maximum number
* of messages that are allowed for each IP queue.
* values should be incremented in small steps ( 10 ) and never set
higher than 100.
The following we run in a startup script:
/usr/sbin/ndd -set /dev/tcp tcp_max_buf 8194304
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 8194304
The first one lets more packets sit in each queue. Setting this high
would make things like web connections to that server seem a little
slower, but will greatly improve high bandwidth sniffing. The second
changes the high water mark for the buffers in whatever protocol.
(tcp_<whatever> can be changed to udp_<whatever> and works identically).
Of note, xmit_hiwat (alternate to recv_hiwait) is unimportant on links
such as spans, but might be considered if you're actually using that
interface to route traffic.
There may be some other changes that we've done. However, those 3
settings posted gave us the greatest effect on our end ability to sniff
traffic at high rates.
These settings shouldn't be necessary on a system like a Sun
V210/240/250.. (fire systems)... etc when installed with Solaris 9. The
drivers for the built-in bge interface(s) are excellent, and the kernel
handles changing between polling/interrupts in brilliant fashion.
From: Gary_Portnoy at ...11307... [mailto:Gary_Portnoy at ...11307...]
Sent: Friday, May 21, 2004 9:00 AM
To: Kreimendahl, Chad J; Dirk Geschke; Darren Webb
Cc: snort-users at lists.sourceforge.net; Daniel J. Roelker
Subject: [Snort-users] 2.1.3rc1 Performance RESULTS
So last night I ran the following test:
Captured 1 million packets off the wire, verified the capture with
Connected my snort sensor (Sun Ultra-2, 1024MB RAM, 2CPU, Quad Ethernet
card) with a crossover cable to a Sun V120.
More information about the Snort-users