[Snort-users] high packet loss - low throughput

beenph beenph at ...11827...
Sun Jul 21 08:19:15 EDT 2013


Disable hyperthreading.
Balance your IRQ's so network irq are cpu bound.
bind each instance of snort to each cpu its listening network
interface is bound.


On Sun, Jul 21, 2013 at 6:16 AM, Michal Purzynski <michal at ...16244...> wrote:
> On 7/21/13 2:22 AM, Joel Esler wrote:
>
> On Jul 20, 2013, at 6:46 PM, Michal Purzynski <michal at ...16244...> wrote:
>
> The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find
> it actualy hard to believe as the "empty" snort used to do around
> 250-300Mbit/sec per core here. Empty as in no rules at all.
>
>
> Even more.  But we have a dedicated appliance specifically tuned with
> special drivers to run Snort very fast.  You are doing this, I assume on
> commodity hardware, on a stock OS, running many things (Security Onion)
>
>
> Not really, SO is so wonderful you can enable and disable functionality on
> demand, and so I've done. The box is running snort and netsniff-ng only, has
> around 20 processes of snort (24 execution threads with HT enabled).
>
> Still - 45Mbit/sec per instance with packet loss is disappointing. And 100
> would be too.
>
> Also, I'm running Intel and pf_ring, can try a Myricom (and not pf_ring). I
> won't try anything more expensive like FPGA accelerated cards, since I find
> them too limited and having no real advantage over Myricom and a lot of
> downsides.
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list