Snort mailing list archives

Previous By Date Next
Previous By Thread Next

PF-ring and snort performance

From: Vinayak Malshetty <Vinayak_Malshetty () mindtree com>
Date: Wed, 18 Jul 2012 13:10:59 +0000
Hi all,

I am using pfsend and snort (installed with pfring DAQ module) for sending traffic and capturing reply. I am seeing 
performance related issues which is as below

A5(linux m/c) ----------------A6(linux m/c)

Running pfsend on A6 machine as "./pfsend -i eth4 -l 64 -r 1" to send traffic at 1G/s
Running snort on A5 machine as snort --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i eth4 -c  
sample.conf
When I take a look at statistics reported by snort I am observing that %dropped is almost 70% ,not capturing all the 
packets sent by pfsend at 1G line rate.

Can anyone let me know  if any additional configuration needs to be done or am I missing anything here. It will be 
great help to me

Please find the attached sample.conf, pfsend and snort logs

I have one more question w.r.t pfsend, when I am using pfsend with -r 1 it means send traffic at full line-rate i.e 1 
Gigbits/sec. Expected is that pfsend should send around 1488095 pkts/sec, but pfsend is sending at rate of [current 
625'048.82 pps/] please see the file pf_send.txt.

Can anyone explain why is this so ??

Thanks,
-Vinayak





________________________________

http://www.mindtree.com/email/disclaimer.html

Attachment: snort_1G-new.log
Description: snort_1G-new.log

Attachment: pf_send.txt
Description: pf_send.txt

Attachment: sample.log
Description: sample.log

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: