[Snort-users] Snort 2.9, RHEL 5 and afpacket DAQ
eoin.miller at ...14586...
Wed Oct 20 13:35:58 EDT 2010
On 10/20/2010 4:44 PM, Rich Graves wrote:
> I can reproduce this too, on a RHEL5 x86_64 system with 4GB RAM. I've tried kernels 2.6.18-194.17.1.el5 and 2.6.18-194.11.1.el5, so it's not the fault of any of the recent updates.
> The sum total is 49MB. I can't even run snort -T if snort -c is running.
> So far, performance doesn't look good.
> For several months, I was running Snort 2.8.6 linked with Phil Woods' MMAP patches to libpcap 0.98 configured with 300MB buffer:<0.1% to 5% packet drops (drops have jumped in the last 10 days without significant increase in byte or packet count; I haven't had the time to figure out the rules responsible)
> Snort 2.9.0 linked with libpcap 1.1.1, default pcap acquisition: 30% packet drops
> Snort 2.9.0 linked with libpcap 1.1.1, afpacket acquisiton with 49MB buffer: 9% packet drops
> This might not be an apples-to-apple comparison for various reasons, including recent RedHat kernel updates, the jump in drops that started before upgrading, and possible reporting variance (i.e., 2.8.6 and 2.9 might be counting different things). But when I revert from 2.9.0 to 2.8.6 I seem to get both fewer drops and more alerts.
afpacket is nearly identical to mmap'd libpcap. Just give afpacket a
bigger buffer and the performace should be extremely comprable, and you
don't have to use super old libpcap anymore.
More information about the Snort-users