Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1

[elof () sentor se]

On Tue, 19 Feb 2013, Victor Roemer wrote:
> Concerning your performance problems, you'll receive better feedback from
> the snort-users list, the snort-dev is primarily for receiving patches,
> discussing development etc..

Thanks for the tip.
I'm cross-posting the followups to snort-users as well.


> Your shutdown issue is interesting though. Can you send us the following
> 1. Snort Version

# snort --version
    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.4 GRE (Build 40)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
            Using libpcap version 1.3.0
            Using PCRE version: 8.32 2012-11-30
            Using ZLIB version: 1.2.7

> 2. DAQ version

# snort --daq-list | grep pcap
pcap(v3): readback live multi unpriv

# pkg_info | grep daq
daq-2.0.0


> Also, how are you "shutting down" snort. Which signal's are you sending it.

I'm sending a normal TERM signal ('kill <pid>'). Nothing happens unless a) 
more packets are seen on the sniffing interface or b) I run 'kill -9 
<pid>'.

/Elof






> I know historically there have been problems with BSD's related to
> thread synchronization, etc.. and most notably we do some special things
> for OpenBSD to fix these.
>
> - Victor
>
> On Tue, Feb 19, 2013 at 10:41 AM, <elof () sentor se> wrote:
>
> > I just found something strange:
> >
> > How to reproduce:
> >
> > On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort
> > (compiled from ports).
> >
> > Snort is running fine (as a daemon).
> > I replay a test-pcap with 1 000 000 packets at high speed.
> >
> > 'netstat -B' says:
> >    Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
> >    875 pflog0 p--s--l         0         0         0     0     0 pflogd
> >   1757   mon0 p--s---    999988         0    999988     0     0 snort
> >
> > So far everything's good.
> > 0 drops.
> > (the 12 missing packets were dropped externally (in a hub))
> >
> >
> > I stop snort.
> > It terminates just fine within a second or two.
> >
> > Now I run:
> > sysctl net.bpf.zerocopy_enable=1
> >
> > Then I start snort again.
> >
> >
> > Problem #1:
> > I replay the same 1 000 000 packets at the same speed.
> > 'netstat -B' now show:
> >    Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
> >    875 pflog0 p--s--l         0         0         0     0     0 pflogd
> >   1912   mon0 p--s---    999978    159417    999978 2096329 2095593 snort
> >
> > Aw! 159417 drops (16%)!
> > This is reproduceable every time.
> >
> >
> > Problem #2:
> > When I now try to terminate the snort process, it won't die.
> > It doesn't even start to syslog that it is shutting down. Nothing happen
> > at all.
> > After a few minutes I give up and kill it with -9.
> >
> > This problem only seem to appear if the monitoring NIC is completely
> > silent (as mine are when I don't replay any test packets).
> > If/when I start replaying some packets again, the snort process that I
> > tried to kill (without -9) now finally terminates.
> >
> >
> >
> > Any ideas what is happening here?
> >
> > /Elof
> >
> >
> > ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_d2d_feb
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!