[Snort-users] high packet loss - low throughput
michal at ...16244...
Sat Jul 20 18:46:47 EDT 2013
On 7/20/13 5:17 AM, waldo kitty wrote:
> On 7/19/2013 15:51, Michal Purzynski wrote:
>> 64 bit of course. It's Ubuntu 12.04.2, everything updated, etc.
> and i can't help it but this has been nipping at me ever since i read it the
> first time...
> 1. why "of course"??
> 2. i would try the 32bit load and see what happens there... 64bit stuff takes at
> least twice the space and may be half as fast depending on factors...
> [anecdote: we have seen that 64bit doesn't offer an advantages in our
> environments... at best there's twice as much resources needed for roughtly the
> same load and half the speed as well... we've just not been able to truly
> justify the 64bit builds of the firewall we work with but for some reason
> everyone thinks that 64bit is better than the tried, tested and true 32bit stuff...]
> with that stated, i would seriously consider testing the 32bit load of SO and
> ensure that it is at least using the PAE kernel so that all that memory is
> recognized and used...
> what can it hurt, really? ;)
Yeah, sure I have time to rebuild everything on production
infrastructure to be 32 bit just to test it ;) I know the story - for
example a really cool vyatta distribution (firewall, router, etc)
refused to go 64 bit as the 32 bit version was better in a raw pps. They
actually did it after all - as the 64 bit version was more scalable, in
terms of supported netfilter rules and whatnot.
Still, I really appreciate your comments and ideas and find them
valuable. I just think it's something about the kind of traffic I have
(mostly http) and a snort configuration.
The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find
it actualy hard to believe as the "empty" snort used to do around
250-300Mbit/sec per core here. Empty as in no rules at all.
Still, the packet loss rate does not seem to be connected in any way to
a Mbit/sec or pps. Need some more ideas, from the snort
developers/sourcefire team maybe? You know, hidding a good tuning tips
does not make people buy your products at the end of the day. It can
only cause people move to another vendor :)
More information about the Snort-users