Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question about outstanding packets

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 13 Feb 2015 13:00:04 +0000
It looks like Snort is being oversubscribed. Which mode are you running the daq with?

If you are using the default (pcap) you can try either afpacket or netmap and see if that changes the numbers and gives 
you an idea of where to look. 

Afpacket should perfom better than the pcap mode because it creates a ring of pointers to the packets. 

Netmap should be able to achieve near wire speeds since netmap doesn't have the buffer copy IO overhead.   

Keep in mind this could make it worse because even though the packets are being copied in faster Snort still needs time 
to process them. If that happens I would lean towards looking for a box with more power or filtering down the amount of 
traffic snort is seeing.

The instructions for using / setting up AFPACKET and NETMAP are in the daq manual/readme.


Hope this helps!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 

-----Original Message-----
From: C. L. Martinez [mailto:carlopmart () gmail com] 
Sent: Friday, February 13, 2015 2:02 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Question about outstanding packets

Hi all,

 Under my snort's statistics, I see results like these every day:

*** Caught Term-Signal
===============================================================================
Run time for packet processing was 86064.336514 seconds Snort processed 2731635677 packets.
Snort ran for 0 days 23 hours 54 minutes 24 seconds
    Pkts/hr:    118766768
   Pkts/min:      1904906
   Pkts/sec:        31739
===============================================================================
Packet I/O Totals:
   Received:   3097205569
   Analyzed:   2731635677 ( 88.197%)
    Dropped:      1427584 (  0.046%)
   Filtered:            0 (  0.000%)
Outstanding:    365569892 ( 11.803%)
   Injected:            0
===============================================================================

But I don't see clearly what it means "Outstanding" packets. According to Snort's docs:

Outstanding indicates how many packets are buffered awaiting processing. The way this is counted varies per DAQ so the 
DAQ documentation should be consulted for more info.

Searching inside DAQ's README I don't see any reference about outstanding packets.

How daq manages these packets?? How can I reduce outstanding stats??

Thanks.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership 
with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to 
news, videos, case studies, tutorials and more. Take a look and join the conversation now. 
http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: