[Snort-users] high packet loss - low throughput

Michal Purzynski michal at ...16244...
Sun Jul 21 06:16:06 EDT 2013

On 7/21/13 2:22 AM, Joel Esler wrote:
> On Jul 20, 2013, at 6:46 PM, Michal Purzynski <michal at ...16244... 
> <mailto:michal at ...16244...>> wrote:
>> The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find
>> it actualy hard to believe as the "empty" snort used to do around
>> 250-300Mbit/sec per core here. Empty as in no rules at all.
> Even more.  But we have a dedicated appliance specifically tuned with 
> special drivers to run Snort very fast.  You are doing this, I assume 
> on commodity hardware, on a stock OS, running many things (Security Onion)
Not really, SO is so wonderful you can enable and disable functionality 
on demand, and so I've done. The box is running snort and netsniff-ng 
only, has around 20 processes of snort (24 execution threads with HT 

Still - 45Mbit/sec per instance with packet loss is disappointing. And 
100 would be too.

Also, I'm running Intel and pf_ring, can try a Myricom (and not 
pf_ring). I won't try anything more expensive like FPGA accelerated 
cards, since I find them too limited and having no real advantage over 
Myricom and a lot of downsides.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130721/e3d8618a/attachment.html>

More information about the Snort-users mailing list