[Snort-users] high packet loss - low throughput

Michal Purzynski michal at ...16244...
Wed Jul 17 16:04:37 EDT 2013


I can see a strange results on a local snort installation. Either I 
don't understand something or the statistics aren't precise. Please help 
me understand.

It's an (expanding) two hosts snort setup with 2 x E5-2620 0 @ 2.00GHz / 
64GB RAM each.
Intel x520 card.
Traffic is around 1Gbit to each host.
Around 3500 VRT only rules enabled.
8 snort instances load balanced by the pf_ring.

The traffic loss is very high - up to 9% per instance (as reported by 
Sguil which in turn read the snort logs and debug files). A single 
instance gets from 90 - 150Mbits of traffic and from 10 - 20k pps. To 
make it worse, the loss is not dependent on the traffic and/or pps at 
all. Actualy, sometimes I get a 5% of loss on 50Mbits to a single instance.

Again, the traffic loss numbers are from the snort stats.

There's nothing fancy in the snort conf as well. Daq is configured as 

config daq: pfring
config daq_dir: /opt/pfring/lib/daq
config daq_var: clusterid=51
config daq_var: clustermode=5

More information about the Snort-users mailing list