Snort mailing list archives
Re: high packet loss - low throughput
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 17 Jul 2013 17:01:52 -0400
On 7/17/2013 16:04, Michal Purzynski wrote:
Hello, I can see a strange results on a local snort installation. Either I don't understand something or the statistics aren't precise. Please help me understand. It's an (expanding) two hosts snort setup with 2 x E5-2620 0 @ 2.00GHz / 64GB RAM each. Intel x520 card. Traffic is around 1Gbit to each host. Around 3500 VRT only rules enabled. 8 snort instances load balanced by the pf_ring.
what else is this machine doing besides just snorting the traffic?
The traffic loss is very high - up to 9% per instance (as reported by Sguil which in turn read the snort logs and debug files). A single instance gets from 90 - 150Mbits of traffic and from 10 - 20k pps. To make it worse, the loss is not dependent on the traffic and/or pps at all. Actualy, sometimes I get a 5% of loss on 50Mbits to a single instance.
what happens if you increase the number of snort instances which would thereby reduce the load on each of the instances?
Again, the traffic loss numbers are from the snort stats. There's nothing fancy in the snort conf as well. Daq is configured as follows. config daq: pfring config daq_dir: /opt/pfring/lib/daq config daq_var: clusterid=51 config daq_var: clustermode=5
-- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- high packet loss - low throughput Michal Purzynski (Jul 17)
- Re: high packet loss - low throughput waldo kitty (Jul 17)
- Re: high packet loss - low throughput Michal Purzynski (Jul 17)
- Re: high packet loss - low throughput waldo kitty (Jul 17)
- Re: high packet loss - low throughput Michal Purzynski (Jul 18)
- Re: high packet loss - low throughput Michal Purzynski (Jul 19)
- Re: high packet loss - low throughput waldo kitty (Jul 19)
- Re: high packet loss - low throughput Michal Purzynski (Jul 19)
- Re: high packet loss - low throughput waldo kitty (Jul 19)
- Re: high packet loss - low throughput rmkml (Jul 19)
- Re: high packet loss - low throughput waldo kitty (Jul 19)
- Re: high packet loss - low throughput Michal Purzynski (Jul 17)
- Re: high packet loss - low throughput waldo kitty (Jul 19)
- Re: high packet loss - low throughput waldo kitty (Jul 17)