If these were taken with a similar run time, your performance is better with AFPacket. Analyzed is the number of packets actually processed by Snort. In PCAP, received means “seen by libpcap,” since its managing its own packet queuing above the network driver, where in AFPacket it means “pulled off of the driver’s queue before being pruned.” In both cases, dropped represents “pruned from underlying queue / not seen by Snort.”

 

From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of Qinwen Hu <qhu009@aucklanduni.ac.nz>
Date: Saturday, June 16, 2018 at 6:24 PM
To: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: [Snort-users] Snort 3.0 performance issue

 

Hi everyone.

 

I am using Snort++ 3.0 to do some performance tests. We set up two scenarios:

1. Running a single flow on a 100Gb high-speed network. Both Pcap and AFPack DAQ work as expected. AF_Packet captured all the packets and no packet loss.  PCAP dropped few packets. 

 

2. Running multiple flows with different delays on the same network.  This time  AFPacket had a bad performance when we compared with PCAP in terms of the received packet.  For instance

 

daq (Pcap)

                 received: 695471792

                 analyzed: 14603352

                  dropped: 680868440

 

daq (AFPacket)

                 received: 16774888

                 analyzed: 16774888

                  dropped: 699072874

 

From my understanding, I thought AFPacket will have a better performance than PCAP.  But why I got different results in here? Besides, I am wondering, when I can configure the search methods( ac-bnfa, ac_q or ac-split) in Snort 3.0?

  

 

Here is some information about our testing service

 

Version:Snort++ 3.0.0-243

CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores

 

Thank you very much.

 

Best regards,

 

Steven