2.1.3rc1 Performance

[Gary_Portnoy () itginc com]

Yesterday I replaced my 2.1.1RC1 build with 2.1.3RC1.  Today I checked the 

perfmon stats and nearly fell off my chair.  They are reporting that snort 

is dropping on average about 15% of traffic.  With 2.1.1RC1 perfmon has 
always reported 0% pkts dropped and I believed it.  Now I am seeing that 
there are times when snort is dropping as much as 89%, and that is at 
times with only 0.9mbps throughput and using 11% of the cpu.  Some other 
times i am seeing drop rates of 12% with 5.1mbps throughput while using 
77% of the cpu.

Two questions:

1.  Is there a bug with reporing stats in 2.1.3 or was there one in 2.1.1 
where %pkts dropped simply wasn't reported?  Or is snort 2.1.3rc1 just 
that much less efficient?

2.  What is the most common bottleneck: the cpu or the nic?  In other 
words, why would i be dropping 89% of the traffic while using only 11% of 
the CPU sometimes while at other times I am dropping much less with more 
cpu used?

-Gary
-------------------------------------------
Gary Portnoy






-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
This message is for the named person's use only. This communication is for 
informational purposes only and has been obtained from sources believed to 
be reliable, but it is not necessarily complete and its accuracy cannot be 
guaranteed. It is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation of any
transaction. Moreover, this material should not be construed to contain any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient.  Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is 
authorized to state them to be the views of any such entity.

ITG Inc. reserves the right to monitor and archive all electronic 
communications through its network. 

ITG Inc. Member NASD, SIPC
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-



-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users