[Snort-users] PF_RING / DNA + Snort and high CPU utilization

Ward Sladek wsladekjr at ...125...
Thu Jul 18 09:19:08 EDT 2013


Also what version of Snort are you using?  And are the versions of Snort the same between the old box and new box?  

I noticed Snort was consuming 100% of CPU cores when I moved to 2.9.5.0 and reverted back to 2.9.4.6 (I run PF_RING only, no DNA).


> Date: Wed, 17 Jul 2013 23:07:05 -0400
> From: beenph at ...11827...
> To: scott.finlon at ...15821...
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] PF_RING / DNA + Snort and high CPU utilization
> 
> On Wed, Jul 17, 2013 at 9:38 PM, Scott Finlon <scott.finlon at ...15821...> wrote:
> > Writing this again, this time as a new thread.
> >
> > I am in the process of moving Snort from an older box to a new box. Both
> > are RHEL 6 x64, both with the same NICs.
> > Old box has dual E5-2609s, an Intel x520 NIC, and 32 GB of RAM. New box has
> > dual E5-2660s, an Intel x520, and 64 GB of RAM.
> >
> > Using the same configurations ln both boxes, I am using PF_RING/DNA to split
> > traffic across CPU cores on the box, and
> > can verify using PF_RINGs tool that traffic is being split the way it
> > should be.
> >
> > I compiled Snort on the new box fresh, but copied the configs over. The
> > old box CPU is currently sitting around 10%, the new box has the cores
> > pegged at 99-100%.
> >
> > At Beenph's request, I disable HT on the new box, but the CPU is still
> > maxed.
> >
> 
> NIC Drivers?
> Kernel version? native compile?
> How do you bound your cpu, which queueing mechanism do you use to
> separate queue etc...
> 
> Which process is taking the cpu's?
> -elz
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130718/bc162bf8/attachment.html>


More information about the Snort-users mailing list