Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1

From: elof () sentor se
Date: Thu, 21 Feb 2013 11:05:25 +0100 (CET)

I only have "ipfw" daq apart from "pcap" and "dump".
I've never used it nor run snort in inline mode.

Thanks for opening a bug. I was expecting really positive results when 
upgrading to FreeBSD 9.1 and enabling zerocopy bpf, not *decreased* 
performance.


PS:
Speaking of bpf/daq buffers...
I think you should add a little bit of verbosity when initializing snort, 
printing out what bpf bufsize snort use.

Two examples:
Ex - User has not explicitly set any --daq-var buffer_size :
   ...
   pcap DAQ configured to passive mode.
   pcap DAQ buffer_size: 10 485 760 bytes (default OS bpf buf size)
   ...

Ex - User has set the --daq-var buffer_size to 512MB but the OS's 
net.bpf.maxbufsize only allow 128MB :
   ...
   pcap DAQ configured to passive mode.
   pcap DAQ buffer_size: 134 217 728 bytes (snort asked for 536 870 912 bytes)
   ...

/Elof


On Wed, 20 Feb 2013, Victor Roemer wrote:

Dug through the code a bit, and reread some libpcap documentation -- seems
this may be due to inconsistent behavior across different "systems" that
interpret the use of "timeout" in different ways.\

Do you see this with other DAQ's as well? ("dump" daq is an exception, its
based on pcap as well)

Meanwhile, I'll open a bug so we can investigate this more thoroughly.

- Victor

On Wed, Feb 20, 2013 at 4:33 AM, <elof () sentor se> wrote:



On Tue, 19 Feb 2013, Victor Roemer wrote:


Concerning your performance problems, you'll receive better feedback from
the snort-users list, the snort-dev is primarily for receiving patches,
discussing development etc..



Thanks for the tip.
I'm cross-posting the followups to snort-users as well.



 Your shutdown issue is interesting though. Can you send us the following

1. Snort Version



# snort --version
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.4 GRE (Build 40)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/*
*snort-team <http://www.snort.org/snort/snort-team>
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

 2. DAQ version




# snort --daq-list | grep pcap
pcap(v3): readback live multi unpriv

# pkg_info | grep daq
daq-2.0.0



 Also, how are you "shutting down" snort. Which signal's are you sending

it.



I'm sending a normal TERM signal ('kill <pid>'). Nothing happens unless a)
more packets are seen on the sniffing interface or b) I run 'kill -9 <pid>'.

/Elof







 I know historically there have been problems with BSD's related to

thread synchronization, etc.. and most notably we do some special things
for OpenBSD to fix these.

- Victor

On Tue, Feb 19, 2013 at 10:41 AM, <elof () sentor se> wrote:



I just found something strange:

How to reproduce:

On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort
(compiled from ports).

Snort is running fine (as a daemon).
I replay a test-pcap with 1 000 000 packets at high speed.

'netstat -B' says:
   Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
   875 pflog0 p--s--l         0         0         0     0     0 pflogd
  1757   mon0 p--s---    999988         0    999988     0     0 snort

So far everything's good.
0 drops.
(the 12 missing packets were dropped externally (in a hub))


I stop snort.
It terminates just fine within a second or two.

Now I run:
sysctl net.bpf.zerocopy_enable=1

Then I start snort again.


Problem #1:
I replay the same 1 000 000 packets at the same speed.
'netstat -B' now show:
   Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
   875 pflog0 p--s--l         0         0         0     0     0 pflogd
  1912   mon0 p--s---    999978    159417    999978 2096329 2095593 snort

Aw! 159417 drops (16%)!
This is reproduceable every time.


Problem #2:
When I now try to terminate the snort process, it won't die.
It doesn't even start to syslog that it is shutting down. Nothing happen
at all.
After a few minutes I give up and kill it with -9.

This problem only seem to appear if the monitoring NIC is completely
silent (as mine are when I don't replay any test packets).
If/when I start replaying some packets again, the snort process that I
tried to kill (without -9) now finally terminates.



Any ideas what is happening here?

/Elof


------------------------------**------------------------------**
------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>
______________________________**_________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.**net <Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/**lists/listinfo/snort-devel<https://lists.sourceforge.net/lists/listinfo/snort-devel>
Archive:
http://sourceforge.net/**mailarchive/forum.php?forum_**name=snort-devel<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>

Please visit http://blog.snort.org for the latest news about Snort!








------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: