If these were taken with a similar run time, your performance is better with AFPacket. Analyzed is the number of packets actually processed by Snort. In PCAP, received means “seen by libpcap,” since its managing its own packet queuing above the network driver, where in AFPacket it means “pulled off of the driver’s queue before being pruned.” In both cases, dropped represents “pruned from underlying queue / not seen by Snort.”
I am using Snort++ 3.0 to do some performance tests. We set up two scenarios:
1. Running a single flow on a 100Gb high-speed network. Both Pcap and AFPack DAQ work as expected. AF_Packet captured all the packets and no packet loss. PCAP dropped few packets.
2. Running multiple flows with different delays on the same network. This time AFPacket had a bad performance when we compared with PCAP in terms of the received packet. For instance
From my understanding, I thought AFPacket will have a better performance than PCAP. But why I got different results in here? Besides, I am wondering, when I can configure the search methods( ac-bnfa, ac_q or ac-split) in Snort 3.0?
Here is some information about our testing service
CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores
Thank you very much.