[Snort-users] high packet loss - low throughput

Michal Purzynski michal at ...16244...
Sun Jul 21 06:16:06 EDT 2013


On 7/21/13 2:22 AM, Joel Esler wrote:
> On Jul 20, 2013, at 6:46 PM, Michal Purzynski <michal at ...16244... 
> <mailto:michal at ...16244...>> wrote:
>
>> The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find
>> it actualy hard to believe as the "empty" snort used to do around
>> 250-300Mbit/sec per core here. Empty as in no rules at all.
>
> Even more.  But we have a dedicated appliance specifically tuned with 
> special drivers to run Snort very fast.  You are doing this, I assume 
> on commodity hardware, on a stock OS, running many things (Security Onion)
>
>
Not really, SO is so wonderful you can enable and disable functionality 
on demand, and so I've done. The box is running snort and netsniff-ng 
only, has around 20 processes of snort (24 execution threads with HT 
enabled).

Still - 45Mbit/sec per instance with packet loss is disappointing. And 
100 would be too.

Also, I'm running Intel and pf_ring, can try a Myricom (and not 
pf_ring). I won't try anything more expensive like FPGA accelerated 
cards, since I find them too limited and having no real advantage over 
Myricom and a lot of downsides.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130721/e3d8618a/attachment.html>


More information about the Snort-users mailing list