Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort performance output strangeness?

From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 23 Jul 2010 12:04:37 -0400
I use to work as a dev for a Snort based IDS product. The current
--with-libpfring-* stuff in snort's ./configure is a result of that
work. This was about 3 years ago, so be aware that my info is a little
dated. There have been a lot of changes to PF_Ring since then, so this
info might be totally irrelevant if you are using the latest version
with all the bells and whistles (PF_RING-aware drivers, TNAPI, etc).

We were looking to increase capture performance and did a comparison
between stock libpcap, Phil Wood's libpcap, and PF_Ring. What I found
was that on linux, at the same speed (~500Mb/s) with the same traffic,
and the same snort config, performance really depended on snaplength.
PF_Ring performed better if the snaplength was ~512 or less and Phil
Wood's performed better at ~512 or greater. At the time, stock libpcap
did not perform as well as either one. I do not remember what the
actual versions of each we were using during the test.

I have only played around with PF_Ring since then, but the main
reasons I have not seriously looked at it again are:

1. The same problem you are seeing. The weird stats in Snort drive me
nuts. You can get dropped packet info from /proc with PF_Ring, but I
want to know what snort actually thinks its performance is. If this
issue were resolved I would definitely look at PF_Ring again, because
I did liked the /proc information. Just not enough to solely rely on
it.

2. It was a PIA to have to keep patching the kernel and libpcap just to use it.
3. No tarball(svn only). For the love of God, roll a tarball and
version it! Or better yet provide a version of libpcap that is already
patched.
4. No real need. Stock libpcap-1.0 captures great at the speeds I need
to support today.

Hope that helps.

Wally


On Fri, Jul 23, 2010 at 10:37 AM, Jimmy Crackcorn
<jimmy.cr4ckc0rn () gmail com> wrote:

How significant was your drop in performance once you stopped using PF_RING?

Cheers

On Thu, Jul 22, 2010 at 17:28, Jason Wallace <jason.r.wallace () gmail com> wrote:

I believe this will happen regardless of what libpcap you use if you
are using PF_RING. It is one of the reasons I stopped using PF_RING.

Wally

On Thu, Jul 22, 2010 at 7:18 PM, Jimmy Crackcorn
<jimmy.cr4ckc0rn () gmail com> wrote:

Interesting.  I've got PF_RING enabled as Jason mentioned but I'm
running libpcap 1.0.  It is CentOS so it's possible that the patch
somehow is still managing to mangle things.  Do you guys at SF run
PF_RING and if so, do you see the same stats?

Thanks for the responses!

On Tue, Jul 20, 2010 at 15:56, Ryan Jordan <ryan.jordan () sourcefire com> wrote:

This is a common bug when using Red Hat's version of libpcap 0.9.4.
The original had a bug in the received count, and Snort had a
workaround. Then Red Hat backported the bugfix to libpcap 0.9.4
instead of shipping 0.9.5, screwing up our workaround and causing the
stats you see.

Short version: upgrade libpcap.

-Ryan

On Tue, Jul 20, 2010 at 5:12 PM, Jason Wallace
<jason.r.wallace () gmail com> wrote:

Are you using a PF_Ring enabled libpcap? I've seen that happen when
using PF_Ring.

Wally

On Tue, Jul 20, 2010 at 1:32 PM, Jimmy Crackcorn
<jimmy.cr4ckc0rn () gmail com> wrote:

Hi,

When I do a 'kill -USR1 <pid>' to see the performance stats on one of
my snort processes (2.8.5.3), I see the following:

Jul 20 17:19:22 localhost snort[2296]:
===============================================================================
Jul 20 17:19:22 localhost snort[2296]: Packet Wire Totals:
Jul 20 17:19:22 localhost snort[2296]:    Received:    706180384
Jul 20 17:19:22 localhost snort[2296]:    Analyzed:   1359324466 (192.490%)
Jul 20 17:19:22 localhost snort[2296]:     Dropped:     26517651 (3.755%)
Jul 20 17:19:22 localhost snort[2296]: Outstanding:
18446744073029889883 (2612185850949.648%)
Jul 20 17:19:22 localhost snort[2296]:
===============================================================================

The percentages are leaving me scratching my head (especially
"Outstanding").  Can anyone enlighten me?

Cheers

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users











------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: