Re: pfring and traffic splitting

[Greg Williams <gwillia5 () uccs edu>]

Thanks Peter, I tried it, and I'll leave it running for a while.  Looks like it's still dropping about 43% of packets 
with only 83Mbps right now.  I'm guessing it has something to do with packet reassembly in Stream5.  If I turn off tcp 
reassembly, I don't lose any packets, but then I also don't get any alerts.  

According to the performance stats:  

Num            Preprocessor                  Layer       Checks        Exits               Microsecs      Avg/Check   
Pct of Caller           Pct of Total
 ===            ============              =====     ======      =====           =========  ========= ============= 
============
1                   s5TcpProcessRebuilt     4                29922             29922             22845088     763.49    
        4101.47                    36.70

-----Original Message-----
From: Peter Bates [mailto:peter.bates () ucl ac uk] 
Sent: Tuesday, November 06, 2012 3:00 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] pfring and traffic splitting

* PGP Signed by an unknown key


Hello all

On 05/11/2012 18:14, Greg Williams wrote:
> I have been running Snort 2.9.2 for quite a while.  I decided to look at the stats and it was dropping around 50% of 
> the packets ~170Mbps.  I decided to install PFRING and update Snort..  My problem is that pfring doesn't look like 
> it's splitting any traffic.  Any ideas?

I'm quite surprised you're dropping 50% at only 170Mbps - have you tried using the AF_PACKET DAQ and a buffer of 
512Mb-1Gb?

I'm running PF_RING quite happily but on systems with < 200Mbps have not felt the need.

config daq_dir: /usr/local/lib/daq
config daq_mode: passive
config daq: afpacket
config daq_var: buffer_size_mb=1024
 
--
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division         Internal Ext: 32049
University College London
London WC1E 6BT

* Unknown Key
* 0x44312E91(L)


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into 
emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!