Snort mailing list archives
Re: Packet loss more than 60%.
From: fatema bannatwala <fatema.bannatwala () gmail com>
Date: Tue, 27 Sep 2016 07:40:10 -0400
Yes we use PF_RING which is distributing traffic accross cores. There are 19 snort instances running on each sensor. The sensors have 20 cores each and one needs to be left open for other things. There are also 19 barnyard2 processes, but those are doing more I/O and not as much cpu. We could try running more instances and see if that helps as we have 40 virtual cpus. Also, to start with I did following ethtool settings on each box to reduce packet loss: $ sudo ethtool -K eth1 tx off rx off tso off gso off gro off as it was recommended on couple of online articles that I was reading yesterday. We are running ET- and VRT- rule sets currently. Thanks, Fatema. On Mon, Sep 26, 2016 at 6:14 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
Does the “Thread(s) per core” mean “threads of Snort, per core”? Because if so, that may be an issue… Are you using PF_RING? Are you distributing the traffic across the cores? Other than that, there are about a million tweaks you can make for performance. But yeah, what ruleset you are running? On Sep 26, 2016, at 6:07 PM, fatema bannatwala < fatema.bannatwala () gmail com> wrote: Hi, We have two snort sensors each with 40 cpu cores and running 19 snort instances on CentOS 6.8. I looked at the snort per processes stats on one of the sensors and noticed a less than ideal drop rate: 62.2% 0% dropped 29.5% 1-9% dropped 04.7% 10-19% dropped 02.1% 20-29% dropped 00.8% 30-39% dropped 00.4% 40-49% dropped 00.1% 50-59% dropped 00.1% 60-69% dropped It would make sense that the processes dropping traffic are seeing more traffic, so the total % of packets dropped is likely higher than what the above would indicate. Are there any specific settings that can be tweaked to reduce the capture loss? I think commenting out some rules might be a better approach though. CPU architecture info: Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit CPU(s): 40 On-line CPU(s) list: 0-39 Thread(s) per core: 2 Model name: Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz Any help would be appreciated. Thanks, Fatema. ------------------------------------------------------------ ------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Packet loss more than 60%. fatema bannatwala (Sep 26)
- Re: Packet loss more than 60%. Joel Esler (jesler) (Sep 26)
- Re: Packet loss more than 60%. fatema bannatwala (Sep 27)
- Re: Packet loss more than 60%. Joel Esler (jesler) (Sep 26)