[Snort-users] Unusual Snort performance stats
Jason.Haar at ...294...
Mon Feb 22 15:59:55 EST 2010
On 02/23/2010 05:29 AM, Matt Watchinski wrote:
> 1. Outstanding means that packets never got out of the ethernet card
> before they got dropped. IE pcap didn't get to them before they
Well that does my mind in. Can you explain to the uninitiated how snort
can know a packet was received by an Ethernet card, but then dropped
before it got out of the card?
Does that mean there are two ways to drop packets? Am I correct in
saying that "dropped packets" implies the OS (ie pcap) received the
packet but dropped it due to snort/userspace being too busy to extract
all the buffer within some time period, but "outstanding" is just as
bad? I've only ever noticed the "Dropped" field before :-(
> This stats means that some percentage of your traffic contains
> protocols that snort doesn't do anything with. Tracking these down
> and add BPF's to ignore them could improve performance.
That's good advise we could all use I'm sure!
> 3. Are you using CPU affinity to lock the snort process to a specific
> CPU? If not this is something to try. If snort bounces to another
> CPU then the cache line is reset and performance can suffer.
Are you saying that there's real value in ensuring snort remains on the
same CPU - even over restarts? Why would the cache matter? I mean,
restarting snort means your IDS is deactivated until it's fully
operational again - does keeping it on the same CPU simply minimize that
outage, or do you mean something else.
Lots of yummy stuff in your message to chew on :-)
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users