[Snort-users] Snort + PF_RING + DAQ

livio Ricciulli livio at ...15149...
Tue Sep 4 18:54:19 EDT 2012


> CPU Binding is something important, QUEUE wise if you bind a snort
> process to the same network QUEUE
> then you can clearly start to benchmark. If you spread the network
> queue load on multiple CPU and do not bind process
> to the same CPU then your adding context switching in the mix which i
> think is bad at high throuput.
In pfring lingo this is called DNA and does give slightly better performance
which supports your claim:
see https://www.metaflows.com/technology/10-gbps-pf_ring-2/

We found, though, that with NAPI and letting the Linux scheduler loose 
on 24 threads
works just as well but gives you much better flexibility (you can have 
multiple
applications share the same interface for example which you cannot do 
with DNA).

So, your theory is correct but it does not make a big enough difference, 
(on our appliances).
And I doubt it would solve Peter's problem. But again, it is hard to 
generalize and I might be wrong..

Livio.





More information about the Snort-users mailing list