Re: pfring and traffic splitting

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Have you taken a look at your rule performance?  A few really bad rules can kill your performance quickly.


-----Original Message-----
From: Greg Williams [mailto:gwillia5 () uccs edu] 
Sent: Tuesday, November 06, 2012 7:42 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] pfring and traffic splitting

Thanks Peter, I tried it, and I'll leave it running for a while.  Looks like it's still dropping about 43% of packets 
with only 83Mbps right now.  I'm guessing it has something to do with packet reassembly in Stream5.  If I turn off tcp 
reassembly, I don't lose any packets, but then I also don't get any alerts.  

According to the performance stats:  

Num            Preprocessor                  Layer       Checks        Exits               Microsecs      Avg/Check   
Pct of Caller           Pct of Total
 ===            ============              =====     ======      =====           =========  ========= ============= 
============
1                   s5TcpProcessRebuilt     4                29922             29922             22845088     763.49    
        4101.47                    36.70


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!