Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1

From: elof () sentor se
Date: Tue, 19 Feb 2013 16:41:55 +0100 (CET)

I just found something strange:

How to reproduce:

On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort 
(compiled from ports).

Snort is running fine (as a daemon).
I replay a test-pcap with 1 000 000 packets at high speed.

'netstat -B' says:
   Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
   875 pflog0 p--s--l         0         0         0     0     0 pflogd
  1757   mon0 p--s---    999988         0    999988     0     0 snort

So far everything's good.
0 drops.
(the 12 missing packets were dropped externally (in a hub))


I stop snort.
It terminates just fine within a second or two.

Now I run:
sysctl net.bpf.zerocopy_enable=1

Then I start snort again.


Problem #1:
I replay the same 1 000 000 packets at the same speed.
'netstat -B' now show:
   Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
   875 pflog0 p--s--l         0         0         0     0     0 pflogd
  1912   mon0 p--s---    999978    159417    999978 2096329 2095593 snort

Aw! 159417 drops (16%)!
This is reproduceable every time.


Problem #2:
When I now try to terminate the snort process, it won't die.
It doesn't even start to syslog that it is shutting down. Nothing happen 
at all.
After a few minutes I give up and kill it with -9.

This problem only seem to appear if the monitoring NIC is completely 
silent (as mine are when I don't replay any test packets).
If/when I start replaying some packets again, the snort process that I 
tried to kill (without -9) now finally terminates.



Any ideas what is happening here?

/Elof

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: