Snort mailing list archives
Re: cpu usage by component
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 09 Sep 2003 11:04:57 -0400
At 06:19 PM 9/8/2003 -0400, Oliver Dain wrote:
The question is, relative to one another, how much time does the rules engine,the various cpu intensive preprocessors and the user/kernal boundry crossing require? Does stream4 use 10 times as much cpu as the rules engine? Is most of the cpu time spent getting packets from the NIC, through the kernel and into user space?
I can't speak authoritatively, however based on my experience:conversation and portscan2 as a collective pair seem to use more memory and CPU than anything else in snort by a factor of at least 4. Based on what they do I can't quite understand why, but on low cpu power systems these two cause extreme packet loss (>10%), even when monitoring a mere 2mbit/sec link on a p-133 that was dedicated to snort. Disabling those two caused the packet loss rate to drop by a factor of 100 (from >10% to approximately 0.1%).
Based on what it does, I would venture to guess the stream4 preprocessor is about as much CPU time as a few case-insensitive content searches. However, I would have expected the same of conversation and portscan2 and clearly their usage is significantly higher. However, stream4 doesn't seem to present a problem for low-end hardware, so my expectations are probably within reason.
Getting packets from the NIC can be either easy or extremely painful depending on your NIC design. However assuming you're using something of reasonably efficient design (ie: not a realtek chipset) this shouldn't be that much of the CPU time. Cross-overs from kernel to user-space are a bit pricey, but the rule engine should be considerably more expensive CPU wise.
I know I'm not giving you any hard numbers, by my expectations would be that the CPU usage would probably break down something along these lines, ignoring conversation/portscan2 which would easily make these numbers insignificant.
rules engine - 70% (assuming a fair amount of content searching caused by the traffic profile).
stream4 - 15% (assuming some processing an a memcopy to buffer the data)kernel copy to userspace - 10% (assuming most of the work is a memcopy and a context switch) nic management 5% (assuming that a double-copy isn't required due to inefficient busmastering alignments)
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- cpu usage by component Oliver Dain (Sep 09)
- Re: cpu usage by component Matt Kettler (Sep 09)
- Re: cpu usage by component Jeff Nathan (Sep 11)
- Re: cpu usage by component Matt Kettler (Sep 11)
- Re: cpu usage by component Jeff Nathan (Sep 11)
- Re: cpu usage by component Jeff Nathan (Sep 11)
- Re: cpu usage by component Matt Kettler (Sep 09)
- <Possible follow-ups>
- Re: cpu usage by component Oliver Dain (Sep 12)