Re: Snort.org Blog: Snort 2.9.1 beta coming soon!

[Joel Esler <jesler () sourcefire com>]

On Jun 13, 2011, at 4:01 PM, Russ Combs wrote:

> Ok, I get why stream reassembly is theoretically more efficient in a
> single thread because of CPU caching, etc., but I don't understand why
> packets still have to wait in line for a u2 entry to be written.  It
> seems like tossing output from the main thread into an async output
> thread would be pretty easy because you don't have to keep state and
> everything is one-way.  For alerting, the volume is not an issue, but
> as more analysts use packet tagging and now HTTP logging, the strain
> on that single main thread is going to cause packet drops for some if
> they're not extremely careful.  If I'm missing something, I'd be
> grateful for clarification.
>
> Agreed.  I don't think this issue has reached a point where it is on our roadmap yet, but all the extra logging could 
> lead to reevaluating sooner rather than later.  Thanks for your comments.

Martin,

We were just having a discussion on that this morning, so we'll keep it open.  Thanks for your input.  Let's us know 
that the community is concerned as well.

Joel

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel