Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled)

[Sangwoo Moon <swmoon () lanada kaist ac kr>]

Hi, thanks for your reply.

I'm transmitting TCP packet with payload 'No_attack' at random position
of packet, rest of payloads are filled with null characters.
I checked performance by calling gettimeofday() at packet callback
function and print the number each second.

--Sangwoo

2012-02-07 오후 5:10, 김무성 쓴 글:
> I think that it’s because depend on kind of traffic.
>
> What packet did generator send?
>
> And how did you check performance?
>
> *From:*Sangwoo Moon [mailto:swmoon () lanada kaist ac kr]
> *Sent:* Saturday, February 04, 2012 1:59 PM
> *To:* snort-devel () lists sourceforge net
> *Subject:* [Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA
> enabled)
>
> Hi,
>
> I'm Sangwoo Moon from Korea.
>
> I'm trying to use multiple Snort processes on the top of PF_RING DAQ
> with DNA enabled.
>
> I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm
> using Snort version 2.9.2.1.
> I have Intel Xeon CPU which has 12 cores.
>
> I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto
> each cores.
> Then I ran 12 Snort processes like following bash script. ('-j' option
> in Snort is that I made it for CPU affinitization, 'snort -j 0' means
> run Snort process in core 0.)
>
> ==============================================
>
> #!/bin/bash
>
> for i in `seq 0 1 10`
> do
> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
> pfring -i dna2@$i -j $i > out/snort_$i.out &
> done
> sudo snort -c etc/snort.conf --daq-dir=////usr/local/lib/daq// --daq
> pfring -i dna2@11 -j 11 > out/snort11.out
>
> ==============================================
>
> I ran high speed packet generator on the other side with 1500 B
> packets, and I got some performance numbers.
>
> Sniffing only: 1.11 Gbps total
> Analyzing with HTTP rule-sets: 4.6 Gbps total
>
> I configured sniffing mode with immediately returning packet callback
> function, analyzing mode with full HTTP-related rule sets.
>
> I just don't understand why does analyzing mode is faster than
> sniffing mode.. Is there any mistakes or misconfigurations that I made?
>
> I'll be waiting for your response.
>
> Thanks and best regards,
> --Sangwoo Moon


-- 
-Sangwoo

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!