[Snort-users] TCP stream processing performance

Al Lewis (allewi) allewi at ...589...
Mon Jun 27 22:04:17 EDT 2016

TCP segment traffic has to be reassembled/reordered in the correct format before rules are applied. The same thing goes for fragmented traffic. If there are a lot of fragments Frag3 has to reassemble them.


Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Kevin Wang <kevin.wang at ...17580...<mailto:kevin.wang at ...17580...>>
Date: Monday, June 27, 2016 at 5:59 PM
To: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: [Snort-users] TCP stream processing performance


I am looking at Snort performance and I found that in the Preprocessor profile statistics, “s5” or “s5tcp” is taking a lot of time. My understanding is that s5tcp is for TCP stream reassembly and the time taking is mostly due to the buffering and mis-ordered packets. The actually processing by the CPU is relatively short. Is my understanding correct or there is other intense processing going on?

Email Disclaimer & Confidentiality Notice
This message is confidential and intended solely for the use of the recipient to whom they are addressed. If you are not the intended recipient you should not deliver, distribute or copy this e-mail. Please notify the sender immediately by e-mail and delete this e-mail from your system. Copyright © 2016 by Istuary Innovation Labs, Inc. All rights reserved.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160628/548b8163/attachment.html>

More information about the Snort-users mailing list