Snort mailing list archives
Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1
From: elof () sentor se
Date: Thu, 21 Feb 2013 11:05:25 +0100 (CET)
I only have "ipfw" daq apart from "pcap" and "dump". I've never used it nor run snort in inline mode. Thanks for opening a bug. I was expecting really positive results when upgrading to FreeBSD 9.1 and enabling zerocopy bpf, not *decreased* performance. PS: Speaking of bpf/daq buffers... I think you should add a little bit of verbosity when initializing snort, printing out what bpf bufsize snort use. Two examples: Ex - User has not explicitly set any --daq-var buffer_size : ... pcap DAQ configured to passive mode. pcap DAQ buffer_size: 10 485 760 bytes (default OS bpf buf size) ... Ex - User has set the --daq-var buffer_size to 512MB but the OS's net.bpf.maxbufsize only allow 128MB : ... pcap DAQ configured to passive mode. pcap DAQ buffer_size: 134 217 728 bytes (snort asked for 536 870 912 bytes) ... /Elof On Wed, 20 Feb 2013, Victor Roemer wrote:
Dug through the code a bit, and reread some libpcap documentation -- seems this may be due to inconsistent behavior across different "systems" that interpret the use of "timeout" in different ways.\ Do you see this with other DAQ's as well? ("dump" daq is an exception, its based on pcap as well) Meanwhile, I'll open a bug so we can investigate this more thoroughly. - Victor On Wed, Feb 20, 2013 at 4:33 AM, <elof () sentor se> wrote:On Tue, 19 Feb 2013, Victor Roemer wrote:Concerning your performance problems, you'll receive better feedback from the snort-users list, the snort-dev is primarily for receiving patches, discussing development etc..Thanks for the tip. I'm cross-posting the followups to snort-users as well. Your shutdown issue is interesting though. Can you send us the following1. Snort Version# snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.4 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/* *snort-team <http://www.snort.org/snort/snort-team> Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.7 2. DAQ version# snort --daq-list | grep pcap pcap(v3): readback live multi unpriv # pkg_info | grep daq daq-2.0.0 Also, how are you "shutting down" snort. Which signal's are you sendingit.I'm sending a normal TERM signal ('kill <pid>'). Nothing happens unless a) more packets are seen on the sniffing interface or b) I run 'kill -9 <pid>'. /Elof I know historically there have been problems with BSD's related tothread synchronization, etc.. and most notably we do some special things for OpenBSD to fix these. - Victor On Tue, Feb 19, 2013 at 10:41 AM, <elof () sentor se> wrote:I just found something strange: How to reproduce: On a default installed FreeBSD 9.1 (amd64) machine I run the latest snort (compiled from ports). Snort is running fine (as a daemon). I replay a test-pcap with 1 000 000 packets at high speed. 'netstat -B' says: Pid Netif Flags Recv Drop Match Sblen Hblen Command 875 pflog0 p--s--l 0 0 0 0 0 pflogd 1757 mon0 p--s--- 999988 0 999988 0 0 snort So far everything's good. 0 drops. (the 12 missing packets were dropped externally (in a hub)) I stop snort. It terminates just fine within a second or two. Now I run: sysctl net.bpf.zerocopy_enable=1 Then I start snort again. Problem #1: I replay the same 1 000 000 packets at the same speed. 'netstat -B' now show: Pid Netif Flags Recv Drop Match Sblen Hblen Command 875 pflog0 p--s--l 0 0 0 0 0 pflogd 1912 mon0 p--s--- 999978 159417 999978 2096329 2095593 snort Aw! 159417 drops (16%)! This is reproduceable every time. Problem #2: When I now try to terminate the snort process, it won't die. It doesn't even start to syslog that it is shutting down. Nothing happen at all. After a few minutes I give up and kill it with -9. This problem only seem to appear if the monitoring NIC is completely silent (as mine are when I don't replay any test packets). If/when I start replaying some packets again, the snort process that I tried to kill (without -9) now finally terminates. Any ideas what is happening here? /Elof ------------------------------**------------------------------** ------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb> ______________________________**_________________ Snort-devel mailing list Snort-devel@lists.sourceforge.**net <Snort-devel () lists sourceforge net> https://lists.sourceforge.net/**lists/listinfo/snort-devel<https://lists.sourceforge.net/lists/listinfo/snort-devel> Archive: http://sourceforge.net/**mailarchive/forum.php?forum_**name=snort-devel<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 19)
- Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 Victor Roemer (Feb 19)
- Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 20)
- Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 Victor Roemer (Feb 20)
- Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 21)
- Re: [Snort-devel] Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 elof (Feb 20)
- Re: Bad performance x 2 when using net.bpf.zerocopy_enable=1 on FreeBSD 9.1 Victor Roemer (Feb 19)