[Snort-users] Snort 3.0 performance issue

Carter Waxman (cwaxman) cwaxman at cisco.com
Tue Jun 19 12:47:14 EDT 2018


If these were taken with a similar run time, your performance is better with AFPacket. Analyzed is the number of packets actually processed by Snort. In PCAP, received means “seen by libpcap,” since its managing its own packet queuing above the network driver, where in AFPacket it means “pulled off of the driver’s queue before being pruned.” In both cases, dropped represents “pruned from underlying queue / not seen by Snort.”

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Qinwen Hu <qhu009 at aucklanduni.ac.nz>
Date: Saturday, June 16, 2018 at 6:24 PM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [Snort-users] Snort 3.0 performance issue

Hi everyone.

I am using Snort++ 3.0 to do some performance tests. We set up two scenarios:
1. Running a single flow on a 100Gb high-speed network. Both Pcap and AFPack DAQ work as expected. AF_Packet captured all the packets and no packet loss.  PCAP dropped few packets.

2. Running multiple flows with different delays on the same network.  This time  AFPacket had a bad performance when we compared with PCAP in terms of the received packet.  For instance

daq (Pcap)
                 received: 695471792
                 analyzed: 14603352
                  dropped: 680868440

daq (AFPacket)
                 received: 16774888
                 analyzed: 16774888
                  dropped: 699072874

From my understanding, I thought AFPacket will have a better performance than PCAP.  But why I got different results in here? Besides, I am wondering, when I can configure the search methods( ac-bnfa, ac_q or ac-split) in Snort 3.0?


Here is some information about our testing service

Version:Snort++ 3.0.0-243
CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores

Thank you very much.

Best regards,

Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180619/7eaec219/attachment.html>


More information about the Snort-users mailing list