Snort mailing list archives

RE: 2.1.3rc1 Performance

From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Thu, 20 May 2004 13:01:20 -0500


If you run snort on that interface... You can kill -USR1 <pid> and it
will dump stats to syslog.  I'd also make sure to run a few different
tests.

You can tell tcpreplay to replay the packets at a certain rate, or even
at a certain multiplication of the original timing.   I'd recommend
doing it normal, doing it at twice the speed, and then doing it as fast
as possible for each of the two pcaps.    

-----Original Message-----
From: Gary_Portnoy () itginc com [mailto:Gary_Portnoy () itginc com] 
Sent: Thursday, May 20, 2004 11:10 AM
To: Kreimendahl, Chad J
Cc: snort-users () lists sourceforge net; Darren Webb
Subject: RE: [Snort-users] 2.1.3rc1 Performance

I'll know for sure tonight.  I am capturing exactly 1 million packets
with 
tcpdump.  Tonight I'll connect two systems with a cross-over cable and
run 
snort on one side with a stripped conf file and tcpreplay (Thanks Chad!)

on the other side to dump out the packets.  I'll run this with both 
versions and see what gets reported.  If libpcap 0.7.2 keeps reporting 0

dropped, I'll try to increase the rate to see if there is a point when
it 
actually reports anything....

-gary-
-------------------------------------------
Gary Portnoy




"Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
05/20/2004 11:24 AM

 
        To:     "Darren Webb" <spyder007 () charter net>,
<Gary_Portnoy () itginc com>
        cc:     <snort-users () lists sourceforge net>
        Subject:        RE: [Snort-users] 2.1.3rc1 Performance



The problem isn't freebsd, as far as anyone can tell.  The problem
appears 
to be with libpcap 0.8.3.  Using 0.7.2 resolves this reporting of
dropped 
packets problem.   At this point I'm not completely sure that 0.8.3 is 
actually dropping packets, but may just be reporting drops when there
are 
none. 

-----Original Message-----
From: Darren Webb [mailto:spyder007 () charter net] 
Sent: Wednesday, May 19, 2004 11:55 PM
To: Gary_Portnoy () itginc com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 2.1.3rc1 Performance

We recently switched from Redhat based sensors to FreeBSD and noticed an
alarming jump in dropped packets as well.

You can also try this in addition to perfmon.  (FreeBSD 5.2.1 Snort
2.1.2
Libpcap 0.8.3)

Ps aux | grep snort
Kill -USR1 <pid>
Tail -100 /var/log/messages

(Of course, your commands will vary somewhat on Solaris.)

The output will show stats from when the Snort session was started.  You

can
then check the frag2 and stream4 preprocessors for possible memory
faults
and discarded packets.  We were seeing 40% to 80% packet loss at times
and
by giving these preprocessors extra memory and defining the TTLs better
in
the snort.conf file we are now at 1% or lower.

Hope this helps some.

Darren







-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+-
This message is for the named person's use only. This communication is
for 
informational purposes only and has been obtained from sources believed
to 
be reliable, but it is not necessarily complete and its accuracy cannot
be 
guaranteed. It is not intended as an offer or solicitation for the
purchase
or sale of any financial instrument or as an official confirmation of
any
transaction. Moreover, this material should not be construed to contain
any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify
the
sender. You must not, directly or indirectly, use, disclose, distribute,

print, or copy any part of this message if you are not the intended 
recipient.  Any views expressed in this message are those of the
individual
sender, except where the message states otherwise and the sender is 
authorized to state them to be the views of any such entity.

ITG Inc. reserves the right to monitor and archive all electronic 
communications through its network. 

ITG Inc. Member NASD, SIPC
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+-




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: 2.1.3rc1 Performance, (continued)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
  - RE: 2.1.3rc1 Performance Dirk Geschke (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
  - RE: 2.1.3rc1 Performance Darren Webb (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance John Creegan (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance snort user (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)