Snort mailing list archives
Re: PF_RING / DNA + Snort and high CPU utilization
From: Scott Finlon <scott.finlon () scranton edu>
Date: Thu, 18 Jul 2013 13:33:29 +0000
On the new box, I originally compiled PF_RING 5.6.1 and Snort 2.9.5, but downgraded to PF_RING 5.5.3 and Snort 2.9.4.6 to match the old box. They are both the exact same versions of everything now. I'm talking with Alfredo from NTOP about the issue as well, so once I can determine if it's PF_RING or Snort I'll definitely post back for future reference. Scott Finlon, CISSP GCIA ----------------------------------- Information Security Engineer The University of Scranton email : scott.finlon () scranton edu phone : 570-941-6168 ----------------------------------- From: Ward Sladek <wsladekjr () hotmail com<mailto:wsladekjr () hotmail com>> Date: Thursday, July 18, 2013 9:19 AM To: beenph <beenph () gmail com<mailto:beenph () gmail com>>, Scott Finlon <scott.finlon () scranton edu<mailto:scott.finlon () scranton edu>>, "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: RE: [Snort-users] PF_RING / DNA + Snort and high CPU utilization Also what version of Snort are you using? And are the versions of Snort the same between the old box and new box? I noticed Snort was consuming 100% of CPU cores when I moved to 2.9.5.0 and reverted back to 2.9.4.6 (I run PF_RING only, no DNA).
Date: Wed, 17 Jul 2013 23:07:05 -0400 From: beenph () gmail com<mailto:beenph () gmail com> To: scott.finlon () scranton edu<mailto:scott.finlon () scranton edu> CC: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] PF_RING / DNA + Snort and high CPU utilization On Wed, Jul 17, 2013 at 9:38 PM, Scott Finlon <scott.finlon () scranton edu<mailto:scott.finlon () scranton edu>> wrote:Writing this again, this time as a new thread. I am in the process of moving Snort from an older box to a new box. Both are RHEL 6 x64, both with the same NICs. Old box has dual E5-2609s, an Intel x520 NIC, and 32 GB of RAM. New box has dual E5-2660s, an Intel x520, and 64 GB of RAM. Using the same configurations ln both boxes, I am using PF_RING/DNA to split traffic across CPU cores on the box, and can verify using PF_RINGs tool that traffic is being split the way it should be. I compiled Snort on the new box fresh, but copied the configs over. The old box CPU is currently sitting around 10%, the new box has the cores pegged at 99-100%. At Beenph's request, I disable HT on the new box, but the CPU is still maxed.NIC Drivers? Kernel version? native compile? How do you bound your cpu, which queueing mechanism do you use to separate queue etc... Which process is taking the cpu's? -elz ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PF_RING / DNA + Snort and high CPU utilization Scott Finlon (Jul 17)
- Re: PF_RING / DNA + Snort and high CPU utilization beenph (Jul 17)
- Re: PF_RING / DNA + Snort and high CPU utilization Ward Sladek (Jul 18)
- Re: PF_RING / DNA + Snort and high CPU utilization Scott Finlon (Jul 18)
- Re: PF_RING / DNA + Snort and high CPU utilization Ward Sladek (Jul 18)
- Re: PF_RING / DNA + Snort and high CPU utilization beenph (Jul 17)