Re: high packet loss - low throughput

[Michal Purzynski <michal () rsbac org>]

On 7/20/13 5:17 AM, waldo kitty wrote:
> On 7/19/2013 15:51, Michal Purzynski wrote:
> > 64 bit of course. It's Ubuntu 12.04.2, everything updated, etc.
> and i can't help it but this has been nipping at me ever since i read it the
> first time...
>
> 1. why "of course"??
>
> 2. i would try the 32bit load and see what happens there... 64bit stuff takes at
> least twice the space and may be half as fast depending on factors...
>
> [anecdote: we have seen that 64bit doesn't offer an advantages in our
> environments... at best there's twice as much resources needed for roughtly the
> same load and half the speed as well... we've just not been able to truly
> justify the 64bit builds of the firewall we work with but for some reason
> everyone thinks that 64bit is better than the tried, tested and true 32bit stuff...]
>
> with that stated, i would seriously consider testing the 32bit load of SO and
> ensure that it is at least using the PAE kernel so that all that memory is
> recognized and used...
>
> what can it hurt, really? ;)
Yeah, sure I have time to rebuild everything on production 
infrastructure to be 32 bit just to test it ;) I know the story - for 
example a really cool vyatta distribution (firewall, router, etc) 
refused to go 64 bit as the 32 bit version was better in a raw pps. They 
actually did it after all - as the 64 bit version was more scalable, in 
terms of supported netfilter rules and whatnot.

Still, I really appreciate your comments and ideas and find them 
valuable. I just think it's something about the kind of traffic I have 
(mostly http) and a snort configuration.

The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find 
it actualy hard to believe as the "empty" snort used to do around 
250-300Mbit/sec per core here. Empty as in no rules at all.

Still, the packet loss rate does not seem to be connected in any way to 
a Mbit/sec or pps. Need some more ideas, from the snort 
developers/sourcefire team maybe? You know, hidding a good tuning tips 
does not make people buy your products at the end of the day. It can 
only cause people move to another vendor :)

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!