Snort mailing list archives
Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled)
From: livio Ricciulli <livio () metaflows com>
Date: Tue, 07 Feb 2012 13:41:42 -0800
We have had very good luck with DNA; we are getting up 6.5 Gbps on a dual X5670 using ICC and thousands of Snort rules (see https://www.metaflows.com/technology/10-gbps-pf_ring-2/); so you should be getting 3-4 Gigs of sustained Snort throughput with what you have.. The only thing, make sure you have the generated traffic similar to real traffic changing the source port for each simulated connection and optimize the snort.conf As far as the sniffing mode being slow it is probably because you are running into disk I/O bottleneck or other unrelated issues. Can you send the exact command you use for sniffing mode? On 02/07/2012 09:30 AM, Sangwoo Moon wrote:
Hi, thanks for your reply. I'm transmitting TCP packet with payload 'No_attack' at random position of packet, rest of payloads are filled with null characters. I checked performance by calling gettimeofday() at packet callback function and print the number each second. --Sangwoo 2012-02-07 오후 5:10, 김무성 쓴 글:I think that it’s because depend on kind of traffic. What packet did generator send? And how did you check performance? *From:*Sangwoo Moon [mailto:swmoon () lanada kaist ac kr] *Sent:* Saturday, February 04, 2012 1:59 PM *To:* snort-devel () lists sourceforge net *Subject:* [Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA enabled) Hi, I'm Sangwoo Moon from Korea. I'm trying to use multiple Snort processes on the top of PF_RING DAQ with DNA enabled. I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm using Snort version 2.9.2.1. I have Intel Xeon CPU which has 12 cores. I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto each cores. Then I ran 12 Snort processes like following bash script. ('-j' option in Snort is that I made it for CPU affinitization, 'snort -j 0' means run Snort process in core 0.) ============================================== #!/bin/bash for i in `seq 0 1 10` do sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq pfring -i dna2@$i -j $i > out/snort_$i.out & done sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq pfring -i dna2@11 -j 11 > out/snort11.out ============================================== I ran high speed packet generator on the other side with 1500 B packets, and I got some performance numbers. Sniffing only: 1.11 Gbps total Analyzing with HTTP rule-sets: 4.6 Gbps total I configured sniffing mode with immediately returning packet callback function, analyzing mode with full HTTP-related rule sets. I just don't understand why does analyzing mode is faster than sniffing mode.. Is there any mistakes or misconfigurations that I made? I'll be waiting for your response. Thanks and best regards, --Sangwoo Moon-- -Sangwoo ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Multiprocessing Snort with PF_RING DAQ (DNA enabled) Sangwoo Moon (Feb 06)
- Message not available
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) Sangwoo Moon (Feb 07)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) balaji patnala (Feb 08)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) 김무성 (Feb 07)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) livio Ricciulli (Feb 08)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) Livio Ricciulli (Feb 08)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) Sangwoo Moon (Feb 07)
- Message not available