[Snort-users] high packet loss - low throughput

beenph beenph at ...11827...
Sun Jul 21 11:18:23 EDT 2013

On Sun, Jul 21, 2013 at 9:04 AM, Michal Purzynski <michal at ...16244...> wrote:
> On 7/21/13 2:19 PM, beenph wrote:
>> Disable hyperthreading.
> Old and wrong advice from a pre Nehalem era.

As far as i know its still currently very debatable to enable hyperthreading
for system that require alot of context switching but i could be wrong :)

>> Balance your IRQ's so network irq are cpu bound.
> Done long time ago at restart, irqbalance removed from the system,

I was not refering to irqbalance process but i was rather refering to
assing your network card queue's
irq's to specific cpu core using smp_affinity. (/proc/irq/<IRQ ID>/smp_affinity)

>> bind each instance of snort to each cpu its listening network
>> interface is bound.
> Very bad idea, packet loss around 60% with it.

Very bad idea if the above suggestion is not done, correctly, else its
rather a good practice if you have
multiple input and output queue.

More information about the Snort-users mailing list