Huge performance drop for Snort-2.9.4

[abed mohammad kamaluddin <abedamu () gmail com>]

Hi,

While upgrading from 2.9.0.4 to 2.9.4, there is huge performance drop.
I have compiled both sources using the same libraries, same compiler
options (default) and am running in the same environment using exactly
the same configuration and rule files. There is anything between 15 -
40 % decrease in performance depending upon the traffic.

I used Intel(R) Xeon(R) CPU X5650  @2.67GHz and daq pcap for the
tests. However live traffic also gives than 20% drop in performance.
Similar behavior is also seen on MIPs cpu. Here are the observations:

Pcap with no alerts, uniform large-sized half-million UDP pkts
snort-2.9.0.4  -  1692 Mbps
snort-2.9.4    -   1364 Mbps  (~20% drop)

Pcap with one alert - non-uniform small-sized TCP pkts
snort-2.9.0.4  254 Mbps
snort-2.9.4     163 Mbps  (~35 % drop)

This is easily reproducible using all types of traffic. Just to make
sure, I also tried 2.9.3.1 and it gave me good performance equivalent
to 2.9.0.4. So the reduction has crept up in 2.9.4 itself. I haven't
explored it, but maybe consolidation of IPv6 is the cause?

My earlier mail regarding optimization
(http://seclists.org/snort/2013/q1/195) has the same proportionate
performance enhancement on both 2.9.4 and 2.9.0.4.

Thanks,
Abed M K

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!