[Snort-users] high packet loss - low throughput

waldo kitty wkitty42 at ...14940...
Wed Jul 17 17:01:52 EDT 2013

On 7/17/2013 16:04, Michal Purzynski wrote:
> Hello,
> I can see a strange results on a local snort installation. Either I
> don't understand something or the statistics aren't precise. Please help
> me understand.
> It's an (expanding) two hosts snort setup with 2 x E5-2620 0 @ 2.00GHz /
> 64GB RAM each.
> Intel x520 card.
> Traffic is around 1Gbit to each host.
> Around 3500 VRT only rules enabled.
> 8 snort instances load balanced by the pf_ring.

what else is this machine doing besides just snorting the traffic?

> The traffic loss is very high - up to 9% per instance (as reported by
> Sguil which in turn read the snort logs and debug files). A single
> instance gets from 90 - 150Mbits of traffic and from 10 - 20k pps. To
> make it worse, the loss is not dependent on the traffic and/or pps at
> all. Actualy, sometimes I get a 5% of loss on 50Mbits to a single instance.

what happens if you increase the number of snort instances which would thereby 
reduce the load on each of the instances?

> Again, the traffic loss numbers are from the snort stats.
> There's nothing fancy in the snort conf as well. Daq is configured as
> follows.
> config daq: pfring
> config daq_dir: /opt/pfring/lib/daq
> config daq_var: clusterid=51
> config daq_var: clustermode=5

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list