Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unusual Snort performance stats

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 23 Feb 2010 09:59:55 +1300
On 02/23/2010 05:29 AM, Matt Watchinski wrote:


1. Outstanding means that packets never got out of the ethernet card
before they got dropped.  IE pcap didn't get to them before they
disappeared.  


Well that does my mind in. Can you explain to the uninitiated how snort
can know a packet was received by an Ethernet card, but then dropped
before it got out of the card?

Does that mean there are two ways to drop packets? Am I correct in
saying that "dropped packets" implies the OS (ie pcap) received the
packet but dropped it due to snort/userspace being too busy to extract
all the buffer within some time period, but "outstanding" is just as
bad? I've only ever noticed the "Dropped" field before :-(


This stats means that some percentage of your traffic contains
protocols that snort doesn't do anything with.  Tracking these down
and add BPF's to ignore them could improve performance.



That's good advise we could all use I'm sure!


3. Are you using CPU affinity to lock the snort process to a specific
CPU?  If not this is something to try.  If snort bounces to another
CPU then the cache line is reset and performance can suffer.



Are you saying that there's real value in ensuring snort remains on the
same CPU - even over restarts? Why would the cache matter? I mean,
restarting snort means your IDS is deactivated until it's fully
operational again - does keeping it on the same CPU simply minimize that
outage, or do you mean something else.

Lots of yummy stuff in your message to chew on :-)

Jason


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: