[Snort-users] Perf Profiling results/troubleshooting throughput

B dustythepath at ...11827...
Fri Apr 7 19:12:16 EDT 2017


Hi,

I am having problems with network throughput and getting hit with a 25-30% performance hit when going through an inline Snort installation.
 Snort is installed as a guest on an EXSI box with an Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz.
  All network offloading has been turned off including within the ESXI host via Advanced settings. 
    Also have done other tweaks with sysctl that have had no real affect.
	MTU /Snaplen has not been touched.
Snort does hit 100% CPU during a speedtest.net <http://speedtest.net/> throughput test. When adding Perf Profiling the throughput became worse.
Others on the list have said bare metal is better, any opinions on that would be welcome.

Below is the Prepocessor performance profile results.

I dont really know what I’m looking at but am asking if s5TcpProcessRebuilt is out of bounds?
Any guidance would be appreciated. 

Thanks

Preprocessor Profile Statistics (all)
==========================================================
 Num            Preprocessor Layer     Checks	   Exits           Microsecs  Avg/Check Pct of Caller Pct of Total
 ===            ============ =====     ======	   =====           =========  ========= ============= ============
  1                       s5     0     106726     106726             3896181	  36.51         45.34        45.34
   1                   s5tcp     1     106268     106268             3872032	  36.44         99.38        45.06
    1             s5TcpState     2     106240     106240             3757429	  35.37         97.04        43.73
     1            s5TcpFlush     3	 4683       4683               28215	   6.03          0.75         0.33
      1  s5TcpProcessRebuilt     4	 4683       4683             3445701     735.79      12211.99        40.10
      2     s5TcpBuildPacket     4	 4683       4683               20727	   4.43         73.46         0.24
     2              s5TcpPAF     3	 1969       1969                9299	   4.72          0.25         0.11
     3             s5TcpData     3	63366	   63366              101811	   1.61          2.71         1.18
      1       s5TcpPktInsert     4	54480	   54480               78869	   1.45         77.47         0.92
    2           s5TcpNewSess     2        285        285                1666	   5.85          0.04         0.02
   2                   s5udp     1        458        458                1347	   2.94          0.03         0.02
  2                    frag3     0          4          4                 145	  36.27          0.00         0.00
   1            frag3rebuild     1          2          2                  10	   5.42          7.47         0.00
   2             frag3insert     1          2          2                   8	   4.28          5.90         0.00
  3                   detect     0     164819     164819             5627954	  34.15         65.50        65.50
   1                    mpse     1     254861     254861             6212436	  24.38        110.39        72.30
   2               rule eval     1        336        336                5716	  17.01          0.10         0.07
    1         rule tree eval     2        336        336                5568	  16.57         97.41         0.06
     1  preproc_rule_options     3          1          1                  12	  12.76          0.23         0.00
     2               content     3        475        475                4413	   9.29         79.25         0.05
     3            uricontent     3          1          1                   1	   1.38          0.02         0.00
     4               session     3     106791     106791              135399	   1.27       2431.67         1.58
     5              flowbits     3          5          5                   4	   0.86          0.08         0.00
     6                  flow     3        248        248                  61	   0.25          1.10         0.00
     7             file_data     3         73         73                  13	   0.18          0.24         0.00
  4              httpinspect     0	66291	   66291             1237182	  18.66         14.40        14.40
  5                   decode     0     106961     106961              563843	   5.27          6.56         6.56


s5TcpProcessRebuilt 


More information about the Snort-users mailing list