[Snort-users] high packet loss - low throughput
wkitty42 at ...14940...
Wed Jul 17 17:01:52 EDT 2013
On 7/17/2013 16:04, Michal Purzynski wrote:
> I can see a strange results on a local snort installation. Either I
> don't understand something or the statistics aren't precise. Please help
> me understand.
> It's an (expanding) two hosts snort setup with 2 x E5-2620 0 @ 2.00GHz /
> 64GB RAM each.
> Intel x520 card.
> Traffic is around 1Gbit to each host.
> Around 3500 VRT only rules enabled.
> 8 snort instances load balanced by the pf_ring.
what else is this machine doing besides just snorting the traffic?
> The traffic loss is very high - up to 9% per instance (as reported by
> Sguil which in turn read the snort logs and debug files). A single
> instance gets from 90 - 150Mbits of traffic and from 10 - 20k pps. To
> make it worse, the loss is not dependent on the traffic and/or pps at
> all. Actualy, sometimes I get a 5% of loss on 50Mbits to a single instance.
what happens if you increase the number of snort instances which would thereby
reduce the load on each of the instances?
> Again, the traffic loss numbers are from the snort stats.
> There's nothing fancy in the snort conf as well. Daq is configured as
> config daq: pfring
> config daq_dir: /opt/pfring/lib/daq
> config daq_var: clusterid=51
> config daq_var: clustermode=5
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users