[Snort-users] high packet loss - low throughput

Michal Purzynski michal at ...16244...
Sun Jul 21 13:49:48 EDT 2013


On 7/21/13 5:18 PM, beenph wrote:
> On Sun, Jul 21, 2013 at 9:04 AM, Michal Purzynski <michal at ...16244...> wrote:
>> On 7/21/13 2:19 PM, beenph wrote:
>>> Disable hyperthreading.
>> Old and wrong advice from a pre Nehalem era.
>>
> As far as i know its still currently very debatable to enable hyperthreading
> for system that require alot of context switching but i could be wrong :)
>
>
>>> Balance your IRQ's so network irq are cpu bound.
>> Done long time ago at restart, irqbalance removed from the system,
>>
> I was not refering to irqbalance process but i was rather refering to
> assing your network card queue's
> irq's to specific cpu core using smp_affinity. (/proc/irq/<IRQ ID>/smp_affinity)
See above.
>
>>> bind each instance of snort to each cpu its listening network
>>> interface is bound.
>> Very bad idea, packet loss around 60% with it.
>>
> Very bad idea if the above suggestion is not done, correctly, else its
> rather a good practice if you have
> multiple input and output queue.
Let me say the same third time - 60% packet loss with it. Or to put it 
another way - for every 10 packets only 4 makes it through and 6 get 
dropped.




More information about the Snort-users mailing list