[Snort-users] TCP stream processing performance

Victor Roemer viroemer at ...589...
Mon Jun 27 22:33:16 EDT 2016


Hi Kevin,


You are correct, while there are additional overheads such as host tcp 
state emulation, preprocessor alerts and stream normalizations probably 
accurate to say that the actual reassembled packet flushing etc.. is the 
most intensive.

On 6/27/16 5:59 PM, Kevin Wang wrote:
>
> Hello,
>
> I am looking at Snort performance and I found that in the Preprocessor 
> profile statistics, “s5” or “s5tcp” is taking a lot of time. My 
> understanding is that s5tcp is for TCP stream reassembly and the time 
> taking is mostly due to the buffering and mis-ordered packets. The 
> actually processing by the CPU is relatively short. Is my 
> understanding correct or there is other intense processing going on?
>
> Thanks,
>
> Kevin
>
> *Email Disclaimer & Confidentiality Notice*
>
> This message is confidential and intended solely for the use of the 
> recipient to whom they are addressed. If you are not the intended 
> recipient you should not deliver, distribute or copy this e-mail. 
> Please notify the sender immediately by e-mail and delete this e-mail 
> from your system. Copyright © 2016 by Istuary Innovation Labs, 
> Inc. All rights reserved.
>
>
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160627/b708f536/attachment.html>


More information about the Snort-users mailing list