Snort mailing list archives
Re: Intel X520 and Multi-Queue Snort
From: Martin Holste <mcholste () gmail com>
Date: Fri, 13 May 2011 08:30:54 -0500
One more thing I'll add: we've also run Endace in the past, but we only got a small performance improvement because Snort quickly becomes CPU-bound. Obviously, at speeds over 1 gig you're going to have a huge packet collection overhead (which Endace will eliminate), but remember that if at speeds of < 1 gig you are CPU bound, you'll be even more CPU bound at > 1 gig. Unless you're doing heavy BPF filtering or are running just a few rules, you're going to need at least 16 cores to do significant pattern matching at over a gig with zero drops. On Thu, May 12, 2011 at 5:22 PM, Mike Lococo <mikelococo () gmail com> wrote:
Will,Read up on TNAPI. It is explicitly designed to do what you want I think, as long as your card uses a TNAPI driver. I realize this isn't a "native" solution, but, I don't know of any, so.... http://www.ntop.org/TNAPI.htmlThanks for your response. I've actually read that document several times in the past, but I don't think I was prepared to fully understand its implications until just now: 1) There are no in-kernel native linux-drivers that expose multiple-queues to userspace. 2) For the hardware it supports (which includes X520's based on the 82599 chipset), PFRING + TNAPI is the solution to that problem. My mind has been warped by years of primarily snorting on Endace hardware where the standard network stack is bypassed by proprietary drivers which are the only way to drive the hardware at all. Those drivers do natively expose the multiple queues in the hardware, which colored my expectation coming into this discussion. I'll start testing PFRING. Thanks for the feedback. Cheers, Mike Lococo
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 12)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Will Metcalf (May 12)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort beenph (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort beenph (May 13)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 13)
- Re: Intel X520 and Multi-Queue Snort beenph (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 12)
- <Possible follow-ups>
- Intel X520 and Multi-Queue Snort Mike Lococo (May 12)