Snort mailing list archives

Re: snort 2.0 performance evaluation

From: Jeff Nathan <jeff () snort org>
Date: Tue, 03 Jun 2003 13:27:37 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --On Wednesday, June 4, 2003 0:22 +0800 "Terence R.T. Liu" 
<tie19858 () ms45 hinet net> wrote:


We downloaded the latest snort 2.0 and put it into a P4 IPC w/ PCI-X bus
and 2 broadcom gigabit  NICs. Then we tested it w/ IXIA http generator to
evaluate the performance and throughput. However, the average throughput
is pretty lower from 18Mbps (packet size is 128 bytes) to 80 Mbps (packet
size is 1460 bytes). The number of enabled rule is about 1,300.
Since the current version has employ the Wu's algorithm to handle the
multiple-pattern matching, we assumed the performance should be boosted.

Does anyone figure this out? Does the testing result sound reasonable?

Thanks,
Terry.


Terry,

Can you provide detailed data from your testing?  It is difficult to 
provide an answer without a complete set of data.  Snort has many 
components, several of which must be examined in order to determine which 
of them (if any) is degrading performance.

As I understand it, you have observed detection rates of 18Mb/sec with an 
Ethernet frame size of 128 bytes and 80Mb/sec with an Ethernet frame size 
of 1460 bytes.

For example, your data might be affected by a latency in interrupt request 
servicing.  Packet capture performance is better with large Ethernet frames 
than with small frames.  It is possible the Broadcom cards generate a high 
number of interrupt requests, as is the case with certain gigabit NICs, 
resulting in inefficient packet capture.  A breakdown in I/O external to 
Snort might manifest itself as poor performance.

Without data describing interrupt states, I/O states, cpu and memory 
utilization   and packet capture statistics your question will only receive 
spurious answers.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+3QS+Eqr8+Gkj0/0RAub9AJ92gXCg9Z9msR0YunIaKSoLZA9BhACgxyiO
A5G0sb7UslPWH1pU/EgpjrI=
=Tk+e
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort 2.0 performance evaluation Terence R.T. Liu (Jun 03)
- Re: snort 2.0 performance evaluation Jeff Nathan (Jun 03)
- <Possible follow-ups>
- RE: snort 2.0 performance evaluation James R. Hendrick (Jun 03)