Snort mailing list archives
Re: Snort 3.0 performance issue
From: Qinwen Hu <qhu009 () aucklanduni ac nz>
Date: Wed, 20 Jun 2018 13:16:53 +1200
Hi Carter, Thank you very much for your response. Based on your explanation, I think the main issue is the Data Acquisition. Both PCAP and AFPacket seem less sufficient for capturing all packet via a 100Gb/s network. So the next question is which DAQ should we use in a high-speed network? We use the DPDK module in another experiment. But we find Snort hasn't support DPDK yet? Any comments and suggestions will be greatly appreciated. Best regards, Steven On 20 June 2018 at 04:47, Carter Waxman (cwaxman) <cwaxman () cisco com> wrote:
If these were taken with a similar run time, your performance is better
with AFPacket. Analyzed is the number of packets actually processed by
Snort. In PCAP, received means “seen by libpcap,” since its managing its
own packet queuing above the network driver, where in AFPacket it means
“pulled off of the driver’s queue before being pruned.” In both cases,
dropped represents “pruned from underlying queue / not seen by Snort.”
*From: *Snort-users <snort-users-bounces () lists snort org> on behalf of
Qinwen Hu <qhu009 () aucklanduni ac nz>
*Date: *Saturday, June 16, 2018 at 6:24 PM
*To: *"snort-users () lists snort org" <snort-users () lists snort org>
*Subject: *[Snort-users] Snort 3.0 performance issue
Hi everyone.
I am using Snort++ 3.0 to do some performance tests. We set up two
scenarios:
1. Running a single flow on a 100Gb high-speed network. Both Pcap and
AFPack DAQ work as expected. AF_Packet captured all the packets and no
packet loss. PCAP dropped few packets.
2. Running multiple flows with different delays on the same network. This
time AFPacket had a bad performance when we compared with PCAP in terms of
the received packet. For instance
daq (Pcap)
received: 695471792
analyzed: 14603352
dropped: 680868440
daq (AFPacket)
received: 16774888
analyzed: 16774888
dropped: 699072874
From my understanding, I thought AFPacket will have a better performance
than PCAP. But why I got different results in here? Besides, I am
wondering, when I can configure the search methods( ac-bnfa, ac_q
or ac-split) in Snort 3.0?
Here is some information about our testing service
Version:Snort++ 3.0.0-243
CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores
Thank you very much.
Best regards,
Steven
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort 3.0 performance issue Qinwen Hu (Jun 16)
- Re: Snort 3.0 performance issue Carter Waxman (cwaxman) via Snort-users (Jun 19)
- Re: Snort 3.0 performance issue Qinwen Hu (Jun 19)
- Re: Snort 3.0 performance issue Carter Waxman (cwaxman) via Snort-users (Jun 20)
- Re: Snort 3.0 performance issue PUllarao via Snort-users (Jun 20)
- Fwd: Snort 3.0 performance issue Виктор Сурин via Snort-users (Jun 21)
- Re: Snort 3.0 performance issue Qinwen Hu (Jun 19)
- Re: Snort 3.0 performance issue Carter Waxman (cwaxman) via Snort-users (Jun 19)