Comparison of freebsd and linux [was: snort packet loss rate}

["Jin Fang" <jin.fang () utoronto ca>]

Hello,

I have finally worked out this issue.

I now have some comparisons for two platforms:
(All hardware specification are the same)


   Box F1                Box F2                Box L1
   (Freebsd 5.2.1)    (Freebsd 5.2.1)    (Linux 2.6.9)

drop:~80%            ~80%                ~80%

After I made following changes on F1 and L1

on F1
1. enable device_polling
2. disable hyperthreading
3. disable smp and leave only 1 cpu
4. enlarge libpcap memory usage
5. downgrade libpcap.0.9.4 to 0.8.3 and
  change the source code

on L1:
1. Install mmap libpcap

The results are:
  Box F1                Box F2                Box L1
   (Freebsd 5.2.1)    (Freebsd 5.2.1)    (Linux 2.6.9)

drop:~80%            ~80%                ~50%

With no rules and no preprocessors ,they are:

  Box F1                Box F2                Box L1
peak:0.1%              21%                    0.05%


And on the linux 2.6.9, I disabled about half rules
which don't have any content (Those basically are
rules firing alarms on syn packet to predefined network)

Now, packet rate remain under 0.1%

So the problems lie with libpcap things and performance
of snort itself (rules without content).

Thanks everybody for your help.
I would appreciate if this can bring up attention to snort
people as those no content rules are definitely effective to
us but sluggish performance.
Jin

----- Original Message ----- 
From: "Justin Heath" <jheath () sourcefire com>
To: "Jin Fang" <jin.fang () utoronto ca>
Cc: <snort-users () lists sourceforge net>
Sent: Wednesday, April 26, 2006 10:56 AM
Subject: Re: [Snort-users] snort packet loss rate


> I am assuming that you recompiled snort and tcpdump with 0.8.3.
>
> I can't say for sure  the the libpcap behavior is causing your issue,
> however, I have seen that behavior in 0.9.4.
>
> Also, keep in mind whenever you kill snort there are still unprocessed 
> packets
> it has not been able to pull from the buffer. This will also skew your
> results. The packets that are still outstanding are currently reported in
> your overall received packets count. We have recently added a category for
> outstanding packets that will clarify this issue. I believe this will be 
> part
> of the 2.6.0 release.
>
> Anyway, if you are seeing the same behaviour with other tools such as 
> tcpdump
> the issue is external to Snort.
>
>
> On Wednesday 26 April 2006 10:38, Jin Fang wrote:
> > I just tried libpcap 0.8.3
> > No difference.
> >
> > > Downgrade your libpcap and you should see your packet count stats drop 
> > > by
> > > 1/2.
> > > Either that or ignore the fact that libpcap is counting them twice.
> > >
> > >
> > > Cheers,
> > > Justin Heath




-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users