[Snort-users] Snort 3.0 performance issue

Qinwen Hu qhu009 at aucklanduni.ac.nz
Sat Jun 16 18:15:39 EDT 2018


Hi everyone.

I am using Snort++ 3.0 to do some performance tests. We set up two
scenarios:
1. Running a single flow on a 100Gb high-speed network. Both Pcap and
AFPack DAQ work as expected. AF_Packet captured all the packets and no
packet loss.  PCAP dropped few packets.

2. Running multiple flows with different delays on the same network.  This
time  AFPacket had a bad performance when we compared with PCAP in terms of
the received packet.  For instance

daq (Pcap)
                 received: 695471792
                 analyzed: 14603352
                  dropped: 680868440

daq (AFPacket)
                 received: 16774888
                 analyzed: 16774888
                  dropped: 699072874

>From my understanding, I thought AFPacket will have a better performance
than PCAP.  But why I got different results in here? Besides, I am
wondering, when I can configure the search methods( ac-bnfa, ac_q or ac-split)
in Snort 3.0?


Here is some information about our testing service

Version:Snort++ 3.0.0-243
CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores

Thank you very much.

Best regards,

Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180617/7e587406/attachment.html>


More information about the Snort-users mailing list