[Snort-users] high packet loss - low throughput

Michal Purzynski michal at ...16244...
Sun Jul 21 09:04:34 EDT 2013


On 7/21/13 2:19 PM, beenph wrote:
> Disable hyperthreading.
Old and wrong advice from a pre Nehalem era.
> Balance your IRQ's so network irq are cpu bound.
Done long time ago at restart, irqbalance removed from the system,
> bind each instance of snort to each cpu its listening network
> interface is bound.
Very bad idea, packet loss around 60% with it.
>
> On Sun, Jul 21, 2013 at 6:16 AM, Michal Purzynski <michal at ...16244...> wrote:
>> On 7/21/13 2:22 AM, Joel Esler wrote:
>>
>> On Jul 20, 2013, at 6:46 PM, Michal Purzynski <michal at ...16244...> wrote:
>>
>> The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find
>> it actualy hard to believe as the "empty" snort used to do around
>> 250-300Mbit/sec per core here. Empty as in no rules at all.
>>
>>
>> Even more.  But we have a dedicated appliance specifically tuned with
>> special drivers to run Snort very fast.  You are doing this, I assume on
>> commodity hardware, on a stock OS, running many things (Security Onion)
>>
>>
>> Not really, SO is so wonderful you can enable and disable functionality on
>> demand, and so I've done. The box is running snort and netsniff-ng only, has
>> around 20 processes of snort (24 execution threads with HT enabled).
>>
>> Still - 45Mbit/sec per instance with packet loss is disappointing. And 100
>> would be too.
>>
>> Also, I'm running Intel and pf_ring, can try a Myricom (and not pf_ring). I
>> won't try anything more expensive like FPGA accelerated cards, since I find
>> them too limited and having no real advantage over Myricom and a lot of
>> downsides.
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!





More information about the Snort-users mailing list