Snort mailing list archives
Re: Performance again
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 23 Dec 2003 17:55:35 +0100
Matt Kettler schrieb:
At 10:55 AM 12/23/2003, Edin Dizdarevic wrote:
[...]
5. Other.with libpcap, packets are queued into a buffer for snort to read. That buffer is a fixed size. When snort reads a packet, it is removed from the buffer and that space is freed for new packets to arrive.
AFAIK there are two buffers: store and hold, at least according to Mr. Stevens. This may not aply to Linux. Anyway, if we use Phil Wood's libpcap it would be possible to virtually extend the buffer size. So with that countermeasure we give Snort more time to finish the tasks pending. Correct so far? But if we go a step further, there are also some Snort parameters whichinfluence the amount of the time Snort has for the individual tasks themselves. If I give the preprocessors more of the machine's (endless)
memory I may remove the bottleneck there. On the other side the libpcap "wants" some memory too and the system itself and so on. Sure, "Throw memory and/or money on it"-approach will almost always solve theproblems one may have, but in this particular case I would prefer choosing another one ;) . I am simply trying to understand how is
everything working together as one complex system. The only information source I have at the moment is the performance monitor. Regards, Edin -- Edin Dizdarevic ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Brian (Dec 23)
- Re: Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Matt Kettler (Dec 23)
- Re: Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Matt Kettler (Dec 23)
- Re: Performance again Lawrence Reed (Dec 23)
- Re: Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Matt Kettler (Dec 23)
- Re: Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Brian (Dec 23)