[Snort-users] Question about outstanding packets

Al Lewis (allewi) allewi at ...589...
Fri Feb 13 08:00:04 EST 2015


It looks like Snort is being oversubscribed. Which mode are you running the daq with?

If you are using the default (pcap) you can try either afpacket or netmap and see if that changes the numbers and gives you an idea of where to look. 

Afpacket should perfom better than the pcap mode because it creates a ring of pointers to the packets. 

Netmap should be able to achieve near wire speeds since netmap doesn't have the buffer copy IO overhead.   

Keep in mind this could make it worse because even though the packets are being copied in faster Snort still needs time to process them. If that happens I would lean towards looking for a box with more power or filtering down the amount of traffic snort is seeing.

The instructions for using / setting up AFPACKET and NETMAP are in the daq manual/readme.


Hope this helps!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: C. L. Martinez [mailto:carlopmart at ...11827...] 
Sent: Friday, February 13, 2015 2:02 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Question about outstanding packets

Hi all,

 Under my snort's statistics, I see results like these every day:

*** Caught Term-Signal
===============================================================================
Run time for packet processing was 86064.336514 seconds Snort processed 2731635677 packets.
Snort ran for 0 days 23 hours 54 minutes 24 seconds
    Pkts/hr:    118766768
   Pkts/min:      1904906
   Pkts/sec:        31739
===============================================================================
Packet I/O Totals:
   Received:   3097205569
   Analyzed:   2731635677 ( 88.197%)
    Dropped:      1427584 (  0.046%)
   Filtered:            0 (  0.000%)
Outstanding:    365569892 ( 11.803%)
   Injected:            0
===============================================================================

But I don't see clearly what it means "Outstanding" packets. According to Snort's docs:

Outstanding indicates how many packets are buffered awaiting processing. The way this is counted varies per DAQ so the DAQ documentation should be consulted for more info.

Searching inside DAQ's README I don't see any reference about outstanding packets.

How daq manages these packets?? How can I reduce outstanding stats??

Thanks.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list