[Snort-users] high packet loss - low throughput

Joel Esler jesler at ...1935...
Sun Jul 21 08:03:59 EDT 2013


Yes, performance that low seems incorrect. I don't think it's Snort with numbers that low. 


--
Joel Esler
Sent from my iPad

On Jul 21, 2013, at 6:16 AM, Michal Purzynski <michal at ...16244...> wrote:

> On 7/21/13 2:22 AM, Joel Esler wrote:
>> On Jul 20, 2013, at 6:46 PM, Michal Purzynski <michal at ...16244...> wrote:
>> 
>>> The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find 
>>> it actualy hard to believe as the "empty" snort used to do around 
>>> 250-300Mbit/sec per core here. Empty as in no rules at all.
>> 
>> Even more.  But we have a dedicated appliance specifically tuned with special drivers to run Snort very fast.  You are doing this, I assume on commodity hardware, on a stock OS, running many things (Security Onion)
> Not really, SO is so wonderful you can enable and disable functionality on demand, and so I've done. The box is running snort and netsniff-ng only, has around 20 processes of snort (24 execution threads with HT enabled).
> 
> Still - 45Mbit/sec per instance with packet loss is disappointing. And 100 would be too.
> 
> Also, I'm running Intel and pf_ring, can try a Myricom (and not pf_ring). I won't try anything more expensive like FPGA accelerated cards, since I find them too limited and having no real advantage over Myricom and a lot of downsides.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130721/dfab8cf7/attachment.html>


More information about the Snort-users mailing list