[Snort-users] Snort 3.0 performance issue

Qinwen Hu qhu009 at aucklanduni.ac.nz
Tue Jun 19 21:16:53 EDT 2018


Hi Carter,

Thank you very much for your response. Based on your explanation, I think
the main issue is the Data Acquisition. Both PCAP and AFPacket seem less
sufficient for capturing all packet via a  100Gb/s network.

So the next question is which DAQ should we use in a high-speed network?
We use the DPDK module in another experiment. But we find Snort hasn't
support DPDK yet? Any comments and suggestions will be greatly appreciated.

Best regards,

Steven



On 20 June 2018 at 04:47, Carter Waxman (cwaxman) <cwaxman at cisco.com> wrote:

> If these were taken with a similar run time, your performance is better
> with AFPacket. Analyzed is the number of packets actually processed by
> Snort. In PCAP, received means “seen by libpcap,” since its managing its
> own packet queuing above the network driver, where in AFPacket it means
> “pulled off of the driver’s queue before being pruned.” In both cases,
> dropped represents “pruned from underlying queue / not seen by Snort.”
>
>
>
> *From: *Snort-users <snort-users-bounces at lists.snort.org> on behalf of
> Qinwen Hu <qhu009 at aucklanduni.ac.nz>
> *Date: *Saturday, June 16, 2018 at 6:24 PM
> *To: *"snort-users at lists.snort.org" <snort-users at lists.snort.org>
> *Subject: *[Snort-users] Snort 3.0 performance issue
>
>
>
> Hi everyone.
>
>
>
> I am using Snort++ 3.0 to do some performance tests. We set up two
> scenarios:
>
> 1. Running a single flow on a 100Gb high-speed network. Both Pcap and
> AFPack DAQ work as expected. AF_Packet captured all the packets and no
> packet loss.  PCAP dropped few packets.
>
>
>
> 2. Running multiple flows with different delays on the same network.  This
> time  AFPacket had a bad performance when we compared with PCAP in terms of
> the received packet.  For instance
>
>
>
> daq (Pcap)
>
>                  received: 695471792
>
>                  analyzed: 14603352
>
>                   dropped: 680868440
>
>
>
> daq (AFPacket)
>
>                  received: 16774888
>
>                  analyzed: 16774888
>
>                   dropped: 699072874
>
>
>
> From my understanding, I thought AFPacket will have a better performance
> than PCAP.  But why I got different results in here? Besides, I am
> wondering, when I can configure the search methods( ac-bnfa, ac_q
> or ac-split) in Snort 3.0?
>
>
>
>
>
> Here is some information about our testing service
>
>
>
> Version:Snort++ 3.0.0-243
>
> CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores
>
>
>
> Thank you very much.
>
>
>
> Best regards,
>
>
>
> Steven
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180620/6acb3100/attachment.html>


More information about the Snort-users mailing list