Snort mailing list archives
Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1
From: elof () sentor se
Date: Wed, 20 Feb 2013 10:33:25 +0100 (CET)
On Tue, 19 Feb 2013, Victor Roemer wrote:
Concerning your performance problems, you'll receive better feedback from the snort-users list, the snort-dev is primarily for receiving patches, discussing development etc..
Thanks for the tip. I'm cross-posting the followups to snort-users as well.
Your shutdown issue is interesting though. Can you send us the following 1. Snort Version
# snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.4 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.7
2. DAQ version
# snort --daq-list | grep pcap pcap(v3): readback live multi unpriv # pkg_info | grep daq daq-2.0.0
Also, how are you "shutting down" snort. Which signal's are you sending it.
I'm sending a normal TERM signal ('kill <pid>'). Nothing happens unless a) more packets are seen on the sniffing interface or b) I run 'kill -9 <pid>'. /Elof
I know historically there have been problems with BSD's related to thread synchronization, etc.. and most notably we do some special things for OpenBSD to fix these. - Victor On Tue, Feb 19, 2013 at 10:41 AM, <elof () sentor se> wrote:I just found something strange: How to reproduce: On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort (compiled from ports). Snort is running fine (as a daemon). I replay a test-pcap with 1 000 000 packets at high speed. 'netstat -B' says: Pid Netif Flags Recv Drop Match Sblen Hblen Command 875 pflog0 p--s--l 0 0 0 0 0 pflogd 1757 mon0 p--s--- 999988 0 999988 0 0 snort So far everything's good. 0 drops. (the 12 missing packets were dropped externally (in a hub)) I stop snort. It terminates just fine within a second or two. Now I run: sysctl net.bpf.zerocopy_enable=1 Then I start snort again. Problem #1: I replay the same 1 000 000 packets at the same speed. 'netstat -B' now show: Pid Netif Flags Recv Drop Match Sblen Hblen Command 875 pflog0 p--s--l 0 0 0 0 0 pflogd 1912 mon0 p--s--- 999978 159417 999978 2096329 2095593 snort Aw! 159417 drops (16%)! This is reproduceable every time. Problem #2: When I now try to terminate the snort process, it won't die. It doesn't even start to syslog that it is shutting down. Nothing happen at all. After a few minutes I give up and kill it with -9. This problem only seem to appear if the monitoring NIC is completely silent (as mine are when I don't replay any test packets). If/when I start replaying some packets again, the snort process that I tried to kill (without -9) now finally terminates. Any ideas what is happening here? /Elof ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 19)
- Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 Victor Roemer (Feb 19)
- Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 20)
- Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 Victor Roemer (Feb 19)