Snort mailing list archives
Multiprocessing Snort with PF_RING DAQ (DNA enabled)
From: Sangwoo Moon <swmoon () lanada kaist ac kr>
Date: Sat, 04 Feb 2012 13:58:40 +0900
Hi, I'm Sangwoo Moon from Korea.I'm trying to use multiple Snort processes on the top of PF_RING DAQ with DNA enabled.
I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm using Snort version 2.9.2.1.
I have Intel Xeon CPU which has 12 cores.I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto each cores. Then I ran 12 Snort processes like following bash script. ('-j' option in Snort is that I made it for CPU affinitization, 'snort -j 0' means run Snort process in core 0.)
============================================== #!/bin/bash for i in `seq 0 1 10` dosudo snort -c etc/snort.conf --daq-dir=/usr/local/lib/daq/ --daq pfring -i dna2@$i -j $i > out/snort_$i.out &
donesudo snort -c etc/snort.conf --daq-dir=/usr/local/lib/daq/ --daq pfring -i dna2@11 -j 11 > out/snort11.out
==============================================I ran high speed packet generator on the other side with 1500 B packets, and I got some performance numbers.
Sniffing only: 1.11 Gbps total Analyzing with HTTP rule-sets: 4.6 Gbps totalI configured sniffing mode with immediately returning packet callback function, analyzing mode with full HTTP-related rule sets.
I just don't understand why does analyzing mode is faster than sniffing mode.. Is there any mistakes or misconfigurations that I made?
I'll be waiting for your response. Thanks and best regards, --Sangwoo Moon
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Multiprocessing Snort with PF_RING DAQ (DNA enabled) Sangwoo Moon (Feb 06)
- Message not available
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) Sangwoo Moon (Feb 07)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) balaji patnala (Feb 08)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) 김무성 (Feb 07)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) livio Ricciulli (Feb 08)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) Livio Ricciulli (Feb 08)
- Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled) Sangwoo Moon (Feb 07)
- Message not available