Snort mailing list archives
Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled)
From: 김무성 <kimms () infosec co kr>
Date: Wed, 8 Feb 2012 16:25:53 +0900
Normally, when check performance of IDS/IPS, we use network traffic generator such as IXIA or smartbit. It can show send and receive traffic volume and how many packets be sent(received) A point of time which loss packet is a result of performance. -----Original Message----- From: balaji patnala [mailto:patnala003 () gmail com] Sent: Wednesday, February 08, 2012 3:52 PM To: Sangwoo Moon Cc: 김무성; snort-devel () lists sourceforge net Subject: Re: [Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA enabled) Hi Sangwoo, I dont think it is the proper way of doing Performance test, Try to use IXIA or spirent devices for correct measurements.. bye, balaji On 2/7/12, Sangwoo Moon <swmoon () lanada kaist ac kr> wrote:
Hi, thanks for your reply. I'm transmitting TCP packet with payload 'No_attack' at random position of packet, rest of payloads are filled with null characters. I checked performance by calling gettimeofday() at packet callback function and print the number each second. --Sangwoo 2012-02-07 오후 5:10, 김무성 쓴 글:I think that it’s because depend on kind of traffic. What packet did generator send? And how did you check performance? *From:*Sangwoo Moon [mailto:swmoon () lanada kaist ac kr] *Sent:* Saturday, February 04, 2012 1:59 PM *To:* snort-devel () lists sourceforge net *Subject:* [Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA enabled) Hi, I'm Sangwoo Moon from Korea. I'm trying to use multiple Snort processes on the top of PF_RING DAQ with DNA enabled. I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm using Snort version 2.9.2.1. I have Intel Xeon CPU which has 12 cores. I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto each cores. Then I ran 12 Snort processes like following bash script. ('-j' option in Snort is that I made it for CPU affinitization, 'snort -j 0' means run Snort process in core 0.) ============================================== #!/bin/bash for i in `seq 0 1 10` do sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq pfring -i dna2@$i -j $i > out/snort_$i.out & done sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq pfring -i dna2@11 -j 11 > out/snort11.out ============================================== I ran high speed packet generator on the other side with 1500 B packets, and I got some performance numbers. Sniffing only: 1.11 Gbps total Analyzing with HTTP rule-sets: 4.6 Gbps total I configured sniffing mode with immediately returning packet callback function, analyzing mode with full HTTP-related rule sets. I just don't understand why does analyzing mode is faster than sniffing mode.. Is there any mistakes or misconfigurations that I made? I'll be waiting for your response. Thanks and best regards, --Sangwoo Moon-- -Sangwoo
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Multiprocessing Snort with PF_RING DAQ (DNA enabled) Sangwoo Moon (Feb 06)
- Message not available
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) Sangwoo Moon (Feb 07)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) balaji patnala (Feb 08)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) 김무성 (Feb 07)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) livio Ricciulli (Feb 08)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) Livio Ricciulli (Feb 08)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) Sangwoo Moon (Feb 07)
- Message not available