Re: high packet loss - low throughput

[Michal Purzynski <michal () rsbac org>]

On 7/21/13 2:19 PM, beenph wrote:
> Disable hyperthreading.
Old and wrong advice from a pre Nehalem era.
> Balance your IRQ's so network irq are cpu bound.
Done long time ago at restart, irqbalance removed from the system,
> bind each instance of snort to each cpu its listening network
> interface is bound.
Very bad idea, packet loss around 60% with it.
> On Sun, Jul 21, 2013 at 6:16 AM, Michal Purzynski <michal () rsbac org> wrote:
> > On 7/21/13 2:22 AM, Joel Esler wrote:
> >
> > On Jul 20, 2013, at 6:46 PM, Michal Purzynski <michal () rsbac org> wrote:
> >
> > The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find
> > it actualy hard to believe as the "empty" snort used to do around
> > 250-300Mbit/sec per core here. Empty as in no rules at all.
> >
> >
> > Even more.  But we have a dedicated appliance specifically tuned with
> > special drivers to run Snort very fast.  You are doing this, I assume on
> > commodity hardware, on a stock OS, running many things (Security Onion)
> >
> >
> > Not really, SO is so wonderful you can enable and disable functionality on
> > demand, and so I've done. The box is running snort and netsniff-ng only, has
> > around 20 processes of snort (24 execution threads with HT enabled).
> >
> > Still - 45Mbit/sec per instance with packet loss is disappointing. And 100
> > would be too.
> >
> > Also, I'm running Intel and pf_ring, can try a Myricom (and not pf_ring). I
> > won't try anything more expensive like FPGA accelerated cards, since I find
> > them too limited and having no real advantage over Myricom and a lot of
> > downsides.
> >
> > ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!