Snort mailing list archives
Flow Management in SnortSP
From: Asim Jamshed <asim.jamshed () gmail com>
Date: Tue, 14 Jun 2011 01:20:01 +0900
Hi,
Our group has been trying to analyze snortsp-3.0.0b3 source code
and how the flow manager performs when different flows are
passed through the IDS simultaneously. For this we have designed
a high speed packet generator that transmits Ethernet packets
(packet size: 1500 Bytes) at 10Gbps line rate.
We performed 2 experiments using libpcap as the DAQ module
with no analyzers attached.
Experiment 1: We transmitted packets (with null payload) of the
same flow (src, dest ip addresses & port numbers same)
continuously. The average receive bandiwidth after passing through
flow management module (measurements taken at the end of
src/data_source.c:dsrc_processor() function was recorded around
5.7 Gbps).
Experiment 2: We transmitted packets (null payload) with multiple
flows (src, dsrc ip addresses & port numbers are random)
continuously. The average receive bandwidth after flow management
was around 6 Gbps.
We found it a bit challenging to follow how the flow manager
(src/data_source/flow_manager.c) handles incoming traffic for both
experiments. We were wondering if someone could help us answering
the following questions:
1) Why does flow manager handle high-speed incoming traffic of
random flows better when compared with the case of single flow?
2) How does flow management (including lru-based flow deletion)
broadly work in SnortSP? How do flow_slots & traffic classifiers fit
in the flow management?
SnortSP setup
-------------
We were using multi-threaded (`./configure --enable-cpu-time') setup.
snort.lua file contents:
=========================================================
eng.new({name="e1", cpu=0})
dsrc.new({name="s1", type="pcap", snaplen=1514, intf="eth1", flags=2,
tcp={maxflows=131072, maxidle=30, flow_memcap=1000000},
other={maxflows=131072, maxidle=30, flow_memcap=1000000},
display="none"})
eng.link({engine="e1", source="s1"})
eng.start("e1")
==========================================================
Machine Specs:
CPU : Intel(R) Xeon(R) CPU X5680 @ 3.33GHz 12 MB Cache, 12 cores
RAM : 24 GiB (DIMM 1333MHz, 4GiB x6)
NIC : Intel Corporation 82599EB 10-Gigabit Network Connection
Regards,
--Asim
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Flow Management in SnortSP Asim Jamshed (Jun 13)
- Re: Flow Management in SnortSP Asim Jamshed (Jun 15)
- Re: Flow Management in SnortSP Martin Roesch (Jun 15)
- Re: Flow Management in SnortSP Asim Jamshed (Jun 15)